As the latest 10-K filing period for corporations draws to a close, the Securities and Exchange Commission (SEC) is expected to intensify its scrutiny on whether companies’ filings adequately disclose both information security breaches that occurred in the past, and the material risks due to cyber threats such companies face in the future. Since the Senate Commerce Committee focused greater attention upon corporate cybersecurity in a letter to the SEC on May 12, 2011, momentum has been building for expanded corporate disclosure of cybersecurity safeguards and security breaches. In October 2011, the SEC issued guidance that publicly traded companies have a duty to disclose “material information regarding cybersecurity risks and cyber incidents” where failure to do so would make other disclosures misleading. Recent developments both inside and outside the SEC show that corporations can expect an even brighter spotlight this year upon their cybersecurity efforts – and shortfalls. Now more than ever, publicly traded companies need to be prepared to address, whether in responses to SEC comment letters or in preparing future filings, what material risks they may have due to cyber threats and whether they have taken steps to address such risks and vulnerabilities.
In its 2013 Examination Priorities, the SEC identified a number of “risk areas” attracting its focus, including enterprise risk management and companies’ “governance and supervision of information technology systems for topics such as operational capability, market access, and information security, including risks of system outages, and data integrity compromises that may adversely affect investor confidence.” These Examination Priorities were published on February 21, 2013, one week after the President issued an Executive Order on improving critical infrastructure cybersecurity, and several days after the release of the Mandiant report, which tied the Chinese military to cyberattacks on over 140 U.S. and other foreign corporations and entities.