In issuing its “New Cybersecurity Disclosure Guidance” in October 2011, the Securities and Exchange Commission warned that “public companies may violate existing laws and regulations for failure to comply with it,” despite the guidance not having “the force of a binding SEC rule or regulation.” Among other things, the guidance indicates that disclosure of threats to cyber security may be appropriate “prior to any actual cyber attack or incident, as well as during and after an incident.”
Since this guidance was issued, SEC agency letters show that the SEC has asked at least six firms – including financial institutions – to improve their disclosures of cybersecurity risks. In April, 2012, Amazon agreed to disclose, in its next quarterly filing, the January 2012 cyber attack on its Zappos.com unit, an attack that resulted in the theft of the addresses and credit card digits of 24 million customers. Similarly, this past May, Google agreed to include a previously disclosed cyber attack in one of its earnings reports. The SEC letters requesting increased disclosures are available on the agency’s website.
On a related note, the most recent Congress reviewed a bill intended to fortify defenses against cyber attacks, including potential safe harbors for firms that follow specified standards in guarding their critical information system networks; however, Congress failed to pass the bill before breaking for recess. In response, the White House is drafting an executive order to address cyberthreats. Homeland Security Secretary Janet Napolitano recently confirmed that the draft of the executive order is “close to completion.”