Title: "Groundbreaking" or Broken? an Analysis of SEC Cybersecurity Disclosure Guidance, Its Effectiveness, and Implications
Abstract: Abstract In October 2011, Securities and Exchange Commission (SEC) responded to mounting concern about threat of cyber-attacks on corporate America by issuing staff guidance on when publicly traded companies should disclose information about cybersecurity vulnerabilities and attacks in their annual public filings. This SEC cybersecurity disclosure guidance has escaped serious analysis until now. Using case studies and paying particular attention to comment letters sent by SEC to registrants to prompt greater disclosure, this article concludes that guidance both procedurally overreaches and substantively underachieves. It overreaches because, while it is facially a nonlegislative rule, it has had practical effect of binding private conduct as if it were a legislative one, violating Administrative Procedure Act. It underachieves because disclosures it requires are vague, similar across industries and companies, and bring little information to marketplace. In particular, it fails to resolve an information asymmetry problem--between corporate managers and stockholders--that disclosure laws are meant to address. To resolve these defects, SEC should elevate cybersecurity disclosure guidance and issue it as a legislative rule, after a notice and comment period. Notice and comment rulemaking would contribute to sounder policy by allowing stakeholders to offer their expertise and experience at front-end of rulemaking process, improving rule and its acceptability among public. This guidance offers a counterexample to those who say that agencies do not commonly use guidance documents to make important policy decisions outside of notice and comment process. The experience with this guidance also suggests limits of agency creativity during periods of political ossification, and it challenges simple verity that economic security and national security have merged. I. INTRODUCTION It has been said that history repeats itself, first as tragedy and then as farce (1)--and sometimes there is a thin line between two. In May of 2013, a group loyal to embattled Syrian President Bashar Al-Assad, known as Syrian Electronic Army, hacked into Twitter account of satirical newspaper and website The Onion and sent out a series of inflammatory messages to publication's five million Twitter followers. (2) The culprits reportedly were angered by what they considered satirists' bias against Syrian regime, (3) evidenced by a facetious column paper published supposedly authored by Al-Assad, in which he boasted of killing 70,000 people. (4) After attack, The Onion--which had been accustomed to skewering news instead of being subject of it--did something serious for a change. (5) It disclosed on its website a detailed account of how its Twitter account was compromised and suggested steps other websites could take to prevent similar attacks. (6) What is remarkable about The Onion pulling back layers of its cyber-attack is that satirical newspaper took steps that many more sober organizations--fearful of admitting digital weaknesses that may either invite future attacks or shake investor confidence-are reluctant to take. (7) Such reluctance has persisted, even though ubiquity of digital systems in modern society is matched only by their vulnerability to disruption. (8) In one survey, ninety percent of organizations reported having suffered at least one cybersecurity breach over a twelvemonth period. (9) Seemingly every day, news breaks of yet another bank heist, espionage operation, or data theft accomplished not with masks and guns, but with clicks of a mouse and taps of a keyboard. (10) The U.S. government has spoken darkly of such cyber risks. (11) In his February 2013 State of Union address, for instance, President Barack Obama warned of the rapidly growing threat [of] cyber-attacks. …
Publication Year: 2013
Publication Date: 2013-12-22
Language: en
Type: article
Access and Citation
Cited By Count: 5
AI Researcher Chatbot
Get quick answers to your questions about the article from our AI researcher chatbot