This year, The U.S. Securities and Exchange Commission (SEC) took a significant step, arguably an unintentional one, towards strengthening national cyber-security: it sent guidance letters to six companies including Google, Eastman Chemical, AIG and Hartford Financial, instructing them to publicly disclose past cyber-attacks and security breaches.
The letters, which are available for viewing on the public filings database EDGAR, were generated during the SEC review process of the companies’ periodic financial statements. Specifically, the SEC correspondence compelled the companies to mention past cyber-attacks, regardless if the attacks had a material impact on the companies’ earnings. The disclosures, which have become de-facto rules for the six companies, are included in the standard “risk factor” section of a company’s financial statements which explain the various risks a company faces and the implications on earnings and overall market value.
Although it is probable that the SEC’s main reason for the guidance letters was to protect the investing public (by making the risk of cyber-attacks and the corresponding adverse effects on stock prices known to investors), the action also plays a role in strengthening national cyber-security. In the absence of legislation directly compelling private companies to strengthen cyber-security policies and infrastructure, targeting the companies’ investor confidence is the next best thing. By compelling companies to disclose present risk levels and past security breaches, the SEC is essentially forcing companies to continuously monitor their cyber-security environment (with the related legal and administrative costs) to ensure future breaches won’t occur. If the companies chose not to address the issue, investor confidence may decline (not to mention more serious scenarios such as ineligibility to bid on government contracts as well as investor and consumer litigation), forcing management to act in order to prevent downward pressure on share prices.
In light of the ever-increasing need to address national cyber-security issues, the SEC’s action is encouraging for two main reasons. First, it’s obvious that strengthening national cyber-security infrastructure is a public as well as private sector issue. When targeting a government, private companies are just as likely to be attacked, especially if the companies are responsible for maintaining critical infrastructure, engaged in defense contracting or hold sensitive government information. Notable examples include the system breach of Lockheed Martin and other security contractors and the recent chain of attacks against the country’s largest financial institutions. The bank cyber-attacks are largely thought to have originated from a group operating from inside Iran.
Second, the SEC’s actions illustrate the potential benefits of taking an unconventional approach to strengthening national security. As previously mentioned, there is a strong chance the SEC did not have national security policy in mind when it acted. But in a world of increased use of government contractors and public-private partnerships, the SEC’s actions encourage private companies to strengthen their cyber-defenses and by extension the national cyber-defense infrastructure. For such a broad and far-reaching field as national cyber-security, tying increased security measures to company’s bottom line is a unique and potentially effective approach. There is no doubt that a cross-government, inter-agency approach to national security is a strong strategy, one that has often been slow to implement. The SEC’s recent actions help to illustrate what such a strategy for cyber-security could look like.