!['U.S. Securities and Exchange Commission headquarters' by AgnosticPreachersKid (Own work) [CC-BY-SA-3.0 (www.creativecommons.org/licenses/by-sa/3.0)], via Wikimedia Commons](http://commons.wikimedia.org/wiki/File%3AU.S._Securities_and_Exchange_Commission_headquarters.JPG "'U.S. Securities and Exchange Commission headquarters' by AgnosticPreachersKid (Own work) [CC-BY-SA-3.0 (www.creativecommons.org/licenses/by-sa/3.0)], via Wikimedia Commons")
Recent cybersecurity breaches at major companies have underscored the importance of careful and comprehensive planning to guard against potential attacks. Attacks can come from live criminals like hackers, or from viruses and malware. They can result in direct financial losses through theft, lost productivity due to equipment failure or data loss, and civil or criminal liability for exposure of sensitive or confidential data. Companies and organizations should consider how best to incorporate cyberattack data into their risk management plans.
A cyberattack earlier this year on online retailer Zappos resulted in the possible theft of as many as 24 million users’ personal information. The company cut off all access to its services to users outside of the United States for several days, and it faces at least one lawsuit from a customer.
Most U.S. states have enacted laws requiring companies that collect personal information to report cybersecurity breaches in which unauthorized persons may have accessed such information. “Personal information” include names, home addresses, dates of birth, social security numbers, and other information that could be used in identity theft or other fraudulent activity. Companies typically must notify a government agency as well as the consumers whose information may have been compromised.
The U.S. Securities and Exchange Commission (SEC) recently set out new guidelines for cybersecurity disclosure that could have a long-ranging impact. The guidelines advise companies to provide information about cyberattacks that they have experienced, including the nature and scope of the attack, and the value and character of any lost property. Companies are also encouraged to identify what aspects of the business, such as sales, were harmed by the attack or attacks. The guidelines even recommend that companies disclose the “cyberrisks” they face and the potential consequences of hackers appropriating their data or interfering with their operations, even if they have not suffered an actual attack or breach.
The SEC’s jurisdiction generally only extends to publicly-traded companies, but they may affect other organizations as well. The guidelines specify that companies should make these disclosures on their annual 10-K form, a document that provides an overview of a company’s business, including its finances. The purpose of the new guidelines, according to a former SEC staffer, is to provide information on the security of a company’s digital and computer assets for the benefit of investors. Stakeholders in other types of organizations may also want access to this type of information, and the SEC’s guidelines may lead to demands for more openness and disclosure. Closely-held corporations, partnerships, and nonprofit organizations may find themselves under pressure to provide this sort of information.
Although investors and other interested parties could undoubtedly benefit from information on cyberattacks, such disclosure could be problematic for companies. Disclosure of their cyberrisks could expose sensitive parts of their business operations, inadvertently benefitting a competitor or even a tipping off a hacker. At the same time, companies could face lawsuits from shareholders if a cyberattack occurs and the company did not disclose all potential risks. Striking a balance between the two interests must be a key factor in an organization’s cyberrisk management plan.
Prism Risk Management provides businesses and organizations with risk and loss prevention consulting and offers services in loss control planning. To learn how our team can help your organization, contact us today.
More Blog Posts:
Public Cloud Computing Has New Guidelines to Help Protect Users’ Privacy and Security, Prism Risk Management Blog, April 18, 2012
Federal Government Develops Definitions and Standards for Cloud Computing, Prism Risk Management Blog, April 18, 2012
Risk Management 101: What Makes Something Insurable by Property & Casualty Insurance? Prism Risk Management Blog, October 27, 2011
Photo credit: ‘U.S. Securities and Exchange Commission headquarters’ by AgnosticPreachersKid (Own work) [CC-BY-SA-3.0], via Wikimedia Commons
Prism Risk Management, LLC 