If you’re sick of reading about cyber-security then you’ll want to find another article to read right now because we’re going to talk about cyber-security here.
Not only are we talking about it but apparently the Securities and Exchange Commission spent 5 hours talking about it last week at it’s cyber-security roundtable. The Center for Audit Quality published guidance on cyber-security risks one day before the SEC’s confab, diplomatically but firmly stating that external auditors are not responsible for testing a company’s IT controls beyond those relevant to financial reporting. And earlier this year the National Institute of Standards and Technology published a basic framework for managing cyber-security risks.
So we have plenty of discussion much of it quite intelligent about cyber-security risks and the urgent need to address them more effectively. Unfortunately, that seems to be about as far as the conversation has gone so far, leaving compliance officers looking for direction still wandering in the wilderness.
The SEC seems a bit lost, too. Commissioner Luis Aguilar, who pushed to get the cyber-security roundtable on the SEC’s calendar, said as much. There is no doubt that the SEC must play a role in this area, he said. What is less clear is what that role should be.
There’s a legitimate argument that companies shouldn’t disclose every risk they have, because hackers will use that against them. One roundtable participant was Leslie Thornton, general counsel of Washington Gas & Light Co. She told of how hackers have tried to burrow into WGL’s IT systems and change the gas pressure WGL uses in its pipelines, apparently to test whether they could create the risk of an explosion. Should WGL disclose whether those hackers succeeded or how much of a disaster they could cause? I don’t think so, especially when I’m driving over one of those gas lines.
On the other hand, suppose you’re an investor in Target. Target actually had disclosed the possibility that a major data privacy breach could cause material harm to the business. But that language, included in its 2012 annual report, is practically meaningless:
If our efforts to protect the security of personal information about our guests and team members are unsuccessful, we could be subject to costly government enforcement actions and private litigation and our reputation could suffer.
Another paragraph follows, for a total of 181 words Target devotes to the risks of a cyber-security breach. All of it is a boilerplate recitation of possible risks (private litigation, regulatory enforcement, loss of trust), and we have a program in place to detect and respond to data security incidents.
Fast forward to Target’s annual report for 2013, filed just two weeks ago. Target’s board expanded its disclosure to start with this:
The data breach we experienced in 2013 has resulted in government inquiries and private litigation, and if our efforts to protect the security of information about our guests and team members are unsuccessful, future issues may result in additional costly government enforcement actions and private litigation and our sales and reputation could suffer.
This time the company doubled its disclosure to 365 words, and because the techniques used to obtain unauthorized access, disable or degrade service, or sabotage systems change frequently and may be difficult to detect for long periods of time, we may be unable to anticipate these techniques or implement adequate preventive measures.
Everything Target disclosed to investors was accurate, and generally in compliance with what the SEC requires for discussing risk factors in the Form 10-K. Still, let’s be honest: a reasonable investor cannot make good judgments about how well Target is working to protect customer data from disclosures like that. Those disclosures don’t say anything.