SEC’s Corp Fin Staff Attacks Cyber-Security DisclosureOctober 25, 2011 – In The News
The Securities and Exchange Commission's latest staff guidance aims to tackle the realm of disclosing cyber-security risks, including a five-part checklist of the disclosures the SEC expects to see in corporate filings.
The document outlines the things companies should consider when identifying specific business risks caused by cyber-security incidents. The SEC also wants companies to conduct a self-assessment of their ability to file accurate and timely disclosures to the Commission in the event of an attack.
Ernie Badway agrees that the SEC staff wants companies to adopt the same thought process they gave to preparing disclosures on past hot topics. In this instance, he says, companies will have to disclose policies and procedures in place that relate to data protection. And even if a company has outsourced its data storage functions to third-party vendors, they're still responsible for these disclosures, he says.
Badway suggests a three-prong strategy to comply with the disclosure requirements. He says to, first, determine the “inventory” of your data and infrastructure, and identify what type of information needs protection. Next, develop procedures and policies based on that inventory, allocating more resources to data that requires additional protection, such as patent information and proprietary data. Finally, prepare corrective measures that can be taken after an incident.
“Have procedures in place to identify these incidents and steps to take after the attack,” he says