Posted on October 24, 2011 by Christopher Wolf

Invitation to Complimentary Webinar on SEC Cybersecurity Disclosure Guidance

On October 13th, the SEC's Division of Corporation Finance issued a Disclosure Guidance that urges public companies to evaluate their cybersecurity risks and, if material, to disclose those risks to investors.

On October 31st, Hogan Lovells will present a complimentary webinar exploring the impact of the Disclosure Guidance featuring senior lawyers in the Hogan Lovells Capital Markets and Privacy and Information Management practices, as well as a managing director of Stroz Friedberg LLC, a technology firm assisting clients with digital risks.

For more information, and to register, click here.

Since all businesses using the Internet are, to some degree, vulnerable to intrusions, what does the new guidance actually mean for public companies?  That question and these will be addressed in the webinar:

  • When does the risk of intrusion become material? 
  • What are the triggers for reporting?  
  • What assessments are required?  
  • Does every company suffering a data security breach have to report it to the SEC?   
  • What has to be reported?
  • How can the reporting company make public disclosure of cybersecurity risks in a way that will not make the company a target for attacks?
  • What is the best way for a company to wrap its arms around a cyberattack so it can make the appropriate disclosure?
  • What steps should a company take to insure its disclosure is a fair, accurate, and timely description of the attack? 

Readers of the Hogan Lovells Chronicle of Data Protection are invited to attend.

Tags: , , , ,
Posted on October 14, 2011 by Christopher Wolf

SEC Issues First-Ever Guidance on Disclosure to Investors of Cybersecurity Risks

Following a request in May 2011 from Senator Jay Rockefeller (D-WVA) to the Securities and Exchange Commission that the SEC advise public companies on when disclosure of cybersecurity risks to investors is mandated, on October 13 the Division of Corporate Finance at the SEC issued a Disclosure Guidance that for the first time advises registrants to evaluate their cybersecurity risks and, if deemed material, to disclose such risks to investors. The Guidance contained this caveat:

The statements in this CF Disclosure Guidance represent the views of the Division of Corporation Finance. This guidance is not a rule, regulation, or statement of the Securities and Exchange Commission. Further, the Commission has neither approved nor disapproved its content.

Still, companies that ignore the advice from the Division of Corporate Finance and fail to assess and disclose material cybersecurity risks do so at their peril -- risking regulatory and legal action.

In the introduction to the Guidance, the SEC Staff acknowledged that overly-specific descriptions of cybersecurity risks filed on the public record could serve as a road map to cybercriminals:

We are mindful of potential concerns that detailed disclosures could compromise cybersecurity efforts -- for example, by providing a “roadmap” for those who seek to infiltrate a registrant’s network security -- and we emphasize that disclosures of that nature are not required under the federal securities laws.

On when disclosure of cybersecurity risks should be disclosed in SEC filings, the Guidance states:

In determining whether risk factor disclosure is required, we expect registrants to evaluate their cybersecurity risks and take into account all available relevant information, including prior cyber incidents and the severity and frequency of those incidents. As part of this evaluation, registrants should consider the probability of cyber incidents occurring and the quantitative and qualitative magnitude of those risks, including the potential costs and other consequences resulting from misappropriation of assets or sensitive information, corruption of data or operational disruption. In evaluating whether risk factor disclosure should be provided, registrants should also consider the adequacy of preventative actions taken to reduce cybersecurity risks in the context of the industry in which they operate and risks to that security, including threatened attacks of which they are aware.

(emphasis supplied)

Thus, the Guidance plainly suggests that a risk assessment is necessary to make the determination on whether disclosure is called for.

In terms of what disclosure is called for, the Guidance states:

Depending on the registrant’s particular facts and circumstances, and to the extent material, appropriate disclosures may include:

  • Discussion of aspects of the registrant’s business or operations that give rise to material cybersecurity risks and the potential costs and consequences;

  • To the extent the registrant outsources functions that have material cybersecurity risks, description of those functions and how the registrant addresses those risks;

  • Description of cyber incidents experienced by the registrant that are individually, or in the aggregate, material, including a description of the costs and other consequences;

  • Risks related to cyber incidents that may remain undetected for an extended period; and

  • Description of relevant insurance coverage.

     

The Guidance also advises registrants to address cybersecurity risks and cyber incidents in their MD&A if

the costs or other consequences associated with one or more known incidents or the risk of potential incidents represent a material event, trend, or uncertainty that is reasonably likely to have a material effect on the registrant’s results of operations, liquidity, or financial condition or would cause reported financial information not to be necessarily indicative of future operating results or financial condition.

The SEC Staff gave as an example:

if material intellectual property is stolen in a cyber attack, and the effects of the theft are reasonably likely to be material, the registrant should describe the property that was stolen and the effect of the attack on its results of operations, liquidity, and financial condition and whether the attack would cause reported financial information not to be indicative of future operating results or financial condition.

This SEC Guidance is likely to result in public corporations engaging is a substantial and detailed assessment of their cybersecurity risks to determine if public disclosure is required, and may lead to a litigation trend of plaintiffs suing corporation following a data security breach, alleging that the risks of such a breach were not properly assessed or disclosed.

The issuance of the cybersecurity disclosure guidance also raises the possibility that the SEC's long-dormant proposed revisions to Reg. S-P under the Gramm-Leach-Bliley financial privacy law, that add specific data security steps for companies to follow, may be finalized -- as part of the Commission's effort to address the growing concerns about cybersecurity in corporate America.
Tags: , , , ,
Posted on June 8, 2011 by Bret Cohen

Commerce Department Calls for Improved Cybersecurity Through Voluntary Self-Regulatory Standards

Department of Commerce logoAt a time when hacks of major commercial computer systems are in the news, the Department of Commerce’s Internet Policy Task Force issued a green paper yesterday preliminarily recommending a new framework for Internet security.  The report is entitled “Cybersecurity, Innovation and the Internet Economy.”  It discusses how to improve the Internet security practices of companies in the Internet and Information Innovation Sector other than those classified as part of  “critical infrastructure.”  These are the myriad companies that provide information services and content, facilitate transactional services over the Internet, store and host publicly accessible content, and support users’ access to content or transaction activities.  This does not include companies in sectors that implicate national security interests such as the defense, energy, financial, healthcare, and core telecommunications sectors, that are subject to other governmental cyber-security strategies.

To increase the online security of businesses, the green paper preliminarily recommends that the Department of Commerce do the following:
 

(1) Work with multi-stakeholder groups to develop, when necessary, nationally recognized and consensus-based cybersecurity standards and practices specific to the covered businesses.  This would include proactively promoting the adoption of particular keystone standards and practices, accelerating the promotion of automation in security, and improving and modernizing security assurance of third-party products.  One example provided by the report is the Domain Name System Security (DNSSEC) protocol extensions, which provide a way to ensure that users are validly delivered to the web addresses they request.

(2) Work with industry to create, through public policy and public/private partnerships and other means, new incentives for firms to follow nationally recognized standards and practices as consensus around them emerges.  This would include continuing to advocate for the adoption of a national breach notification law, facilitating the sharing of information about security breaches as they occur, and evaluating other public policy tools that can be used to promote cybersecurity best practices (such as liability protection and reducing “cyberinsurance” premiums for companies that adopt best practices and openly share details about cyberattacks).

(3) Work with the covered businesses and other federal agencies to deepen private sector and public understanding of cybersecurity vulnerabilities, threats, and responses in order to improve incentives, research and development, and education.  This would include developing a better understanding (at both the firm and the macro-economic level) of the costs of cyber-incidents and the benefits of greater security, the tailoring of future awareness-raising efforts (including through the National Initiative for Cybersecurity Education), and facilitating research and development for deployable technologies.

(4) Continue to enhance the Department’s international collaboration and cooperation activities regarding cybersecurity.  The green paper posits that continuing to work with international governments and businesses would promote shared research and development goals, enable the sharing of best practices and threat information, and promote cybersecurity standards and policies that are in line with and/or influence global practices.

The Department has asked interested parties to comment on the recommendations in the green paper, as well as to provide responses to specific questions it posed to help develop the recommendations.  Some of these questions include:

  • What kinds of entities should be included or excluded from the covered businesses?  How can the the covered businesses' functions and services be clearly distinguished from critical infrastructure?
  • Should covered businesses that also offer functions and services to covered critical infrastructure be treated differently than other covered businesses?
  • Are there existing codes of conduct that covered businesses can utilize that adequately address these issues?
  • What process should the Department of Commerce use to work with industry and other stakeholders to identify best practices, guidelines, and standards in the future?
  • What are the right incentives to (a) gain adoption of best practices; (b) ensure that the voluntary codes of conduct that develop from best practices are sufficiently robust; and (c) ensure that codes of conduct, once introduced, are updated promptly to address evolving threats and other changes in the security environment?
  • How can the Department of Commerce work with other federal agencies to better cooperate, coordinate, and promote adoption and development of cybersecurity standards and policy internationally?

The green paper comes on the heels of the Administration’s May report detailing its stance on cybersecurity policy, and its announcement that it will collaborate with experts in the private sector develop a new cybersecurity strategy.  The Department of Commerce’s position on cybersecurity should inform the Administration’s cybersecurity strategy as it progresses.
Tags: , , , , ,
Posted on March 21, 2011 by Christopher Wolf

Changes for Federal IT Security Proposed With Impact for Government Contractors

This report was prepared by William Ferreira in the Hogan Lovells US LLP Government Contracts practice. 

On March 16, Congressman Jim Langevin (D-RI) introduced legislation that would reform the way IT security would be monitored and managed within the federal government.  The legislation also would overhaul the Federal Information Security Management Act of 2002 (FISMA), and has important implications for government contractors.  The bill, known as the Executive Cyberspace Coordination Act, comes on the heels of a report indicating that the federal government is “not prepared” for cybersecurity threats of the 21st century. The bill is one of several cybersecurity measures pending in congress.  The legislation has received bipartisan support and is similar to a bill introduced in the Senate in February.

The legislation would create a National Office of Cyberspace (NOC) in the White House, headed by a presidential appointee confirmed by the Senate. The NOC would operate a “Federal Cybersecurity Practice Board”, responsible for (1) issuing security controls, in coordination with the National Institute of Standards and Technology (or NIST), for government-networked computers and information infrastructure, (2) evaluating federal information security risks, and (3) developing minimum security standards for products and services procured and used by the government. 

With respect to the proposal to reform FISMA, that statutory scheme has been criticized by security professionals as a “paperwork” exercise that focused too heavily on mechanical compliance processes as opposed to actual security controls. Under the new legislation, federal agencies would be required to implement an information security program that uses “automated technical monitoring of information infrastructure used or operated by an agency or by a contractor of an agency or other organization on behalf of an agency”. The new focus would be on real-time monitoring of the effectiveness of security controls and continuous identification of deficiencies and potential security risk.  

Many government contractors are watching this legislation carefully. It includes a proposal to revise the Federal Acquisition Regulation (FAR) in order to establish minimum information security requirements for procurement of IT products and services, and a proposal to adopt policies for evaluating and mitigating supply chain security risks associated with products or services acquired by agencies. More generally, the bill would apply yet-to-be-developed security requirements to any federal agreement that supports the operation and assets of an agency.

The security requirements would apply to government contractors and grantees that collect, use, manage, store, or disseminate information on behalf of an agency, or that use or operate an information system or information infrastructure on behalf of the agency. Whether and to what extent contractors and grantees engage in the foregoing activity has been a source of confusion, both within and outside the government, particularly as it relates to compliance with FISMA. Data security conditions (including FISMA terms) increasingly are incorporated into federal agreements, catching some contractors and grantees off guard. Moreover, as the private sector moves toward a cloud computing platform, the evolving federal cybersecurity policies likely will affect how organizations use cloud services in the performance of contracts and grants.  Organizations may need to start treating cloud service providers as subcontractors, and contractually impose federal data security requirements on these providers. It is too early to tell how these and other important issues ultimately will play out under the new legislation.

The legislation includes other salient items, as follows:

  • Annual audits: Requires agencies and contractors to obtain an annual independent audit of their information security programs for overall effectiveness and compliance with FISMA.
  • Federal Chief Technology Officer (Federal CTO): Establishes a Federal CTO, appointed by the President and confirmed by the Senate, to work across agencies and the private sector on information technology considerations with regard to federal budgets, and with regard to research and development programs for information technology-related matters.
  • Critical infrastructure: Defines “critical information infrastructure” and provides authority to the Secretary of Homeland Security to issue measures for the protection of information systems that control critical infrastructure. Importantly, the legislation does not appear to give Homeland Security an “internet kill switch” and related control over private systems.
  • Educational programs: Establishes a “Cyber Challenge Program” to support educational programs designed to engage students and the workforce in skill sets relevant to advanced cybersecurity capability.
Tags: , , ,
Posted on March 16, 2010 by Mark Brennan

FCC Releases National Broadband Plan, Promotes Consumer Control Over Personal Information

The Federal Communications Commission released its long-awaited National Broadband Plan today, providing an aggressive roadmap for advancing affordable broadband deployment and adoption; stimulating economic growth; and boosting the nation's capabilities in education, healthcare, homeland security, and other areas.  The Plan also appears to confirm that the FCC is looking to take an expanded role in privacy-related consumer protection issues.

In the Plan, the FCC discusses a number of broadband privacy and data security issues focused on the protection of and consumer control over personal information.  For example, the FCC states 

 

[t]he collection, aggregation and analysis of personal information are common threads among, and enablers of, many application-related innovations...

 

and the Plan notes the value of services such as customized suggestions for movie rentals or books and more targeted and relevant advertising.  It cautions, however

 

many users are increasingly concerned about their lack of control over sensitive personal data.

 

The FCC then remarks:  

 

Innovation will suffer if a lack of trust exists between users and the entities with which they interact over the Internet.  Policies therefore must reflect consumers’ desire to protect sensitive data and to control dissemination and use of what has become essentially their “digital identity.”  Ensuring customer control of personal data and digital profiles can help address privacy concerns and foster innovation.

The FCC also makes several broadband privacy and data security recommendations in the Plan, including:

  • Encouraging Congress and the Federal Trade Commission (as well as the FCC) to clarify the relationship between users and their online profiles, including disclosure and consent requirements and data collection, sharing, storage, safeguarding, and accountability responsibilities;
  • Suggesting that Congress consider helping spur the development of trusted "identity providers" that can help consumers maximize the privacy and security of their data;
  • Having the FTC and FCC jointly develop principles to require that customers provide informed consent before broadband service providers share certain information with third parties (including account and usage information and other personally identifiable information); and
  • Prompting the federal government to put additional resources into combating identity theft and fraud and enhancing consumer online security.

In addition, the Plan includes several privacy and data security recommendations in the smart grid and cybersecurity areas, including a recommendation that states require utilities to "provide consumers access to, and control of, their own digital energy information, including real-time information from smart meters and historical consumption, price and bill data over the Internet."  If states fail to do so within 18 months, the Plan recommends that Congress consider national legislation.

Tags: , , , , , , , ,