control, and governance
Pressure Rising to Disclose Security Risks
Regulators in the United States and abroad want to know more about what publicly listed companies are doing to prevent and detect data breaches.
Information security disclosures by publicly listed companies in U.S. Securities and Exchange Commission (SEC) filings more than doubled in the past six months, according to an analysis by Intelligize. The New York-based analysis firm found more than 800 references to cybersecurity in SEC filings during that period, a 106 percent increase, The Wall Street Journal reports.
Intelligize attributes the increase to informal SEC guidance issued in October 2011 that calls for voluntary information security disclosures by U.S.-listed companies. The guidance directs listed firms to “review, on an ongoing basis, the adequacy of their disclosure relating to cybersecurity risks and cyber incidents.” Specifically, the guidance advises firms to:
In addition, the SEC guidance notes that companies can report on the costs of preventing data incidents as well as the damages, losses, and impact on financial statements incurred during or after such events. Several U.S. accounting standards provide guidance for such disclosures, the SEC points out.
Securities regulators outside the United States also have been paying greater attention to cybersecurity incidents, risks, and protective measures in recent years, as the number and impact of such events have increased. For example, the Australian federal government is considering a proposal to require companies to disclose data breaches that lead to the theft or publication of personal information, according to Financial Review. The Ponemon Institute, a Traverse City, Mich. security research firm, estimates that such incidents cost Australian firms an average of AU $2.7 million last year. That has prompted the Australian Institute of Company Directors to call for directors to obtain “sufficient IT literacy to critically examine information about IT” as well as what other information they should request from executives.
Gail Pemberton, a former chief information officer and current public company director of Australia-based firms, tells Financial Review that directors often aren’t aware of an organization’s information security risk. “It’s when it first happens that companies become really aware of the risks they’re carrying and take action,” she says.
Heightened board awareness may be forcing U.S. companies to be more forthcoming about their security risks, but the SEC might not be satisfied with what’s being reported. The Wall Street Journal reports that SEC staff currently are reviewing whether disclosures are providing enough information about information security risks and preventive measures, citing a letter that new SEC Chairman Mary Jo White wrote to Sen. Jay Rockefeller (D-W.Va.). Rockefeller has sought greater cybersecurity disclosures from listed firms. “It’s important for investors to understand whether companies are effectively addressing all forms of risk, from financial and operational to cyber,” Rockefeller said in a statement.
Tim McCollum is associate managing editor of Ia.
COMMENT ON THIS ARTICLE
Internal Auditor is pleased to provide you an opportunity to share your thoughts about the articles posted on this site. Some comments may be reprinted elsewhere, online, or offline. We encourage lively, open discussion and only ask that you refrain from personal comments and remarks that are off topic. Internal Auditor reserves the right to edit/remove comments.