Richard Bejtlich tweeted about an article in the financial press, the gist of which is that following the issuance of their revised guidance, the SEC has been asking firms some pointed questions about their information security incident history.
At first, I was remarkably frustrated in my attempts to find the source materials forming the basis for the article Rich linked to, but after some coffee, a brief email exchange with the article’s author, and some more pointed googling, I discovered that the same SEC search page I was already familiar with offered access to the correspondence the SEC has with firms. One simply must ask for Form Type “UPLOAD” for the letters the SEC sends, and for Form Type “CORRESP” for replies to same.
This, my friends, is Why Johnny Can’t do Financial Research (but I digress).
In any case, I hope to more fully investigate these “Comment Letters”, as they are known in accounting and regulatory circles, but after some effort I have been able to determine that SEC inquiries about what we now (to my chagrin) call cyber risk factors, or about actual incidents, are not entirely new, but (prior to the revised SEC guidance issued October 13, 2011) rare. I’ve found just a few that predate the revised guidance (but full-text searching is available only beginning in 2008).
For example, this letter to EMC asks:
Please update us as to the status of the cyber attack mounted against RSA. In this regard, you indicated in the March 17, 2011 Form 8-K that based on what you knew at such time, the company did not believe such matter will have a material impact on your financial results. Please tell us if you still believe that to be true. In addition, you indicated that the company took a variety of “aggressive measures” against the threat to protect your business, including further hardening your IT infrastructure. Tell us what other measures, if any, you have taken and tell us how the costs incurred to implement such measures impacted your first quarter results of operations. In addition, tell us how you considered including a discussion of this attack in your March 31, 2011 Form 10-Q.
Without engaging in Kremlinology, it is nonetheless interesting to ponder whether the SEC is grappling here with how firms that have suffered significant breaches assess their materiality.
Sometimes, as with this Comment Letter to BATS Global Markets, Inc., dated June 9, 2011, the SEC straight up asks for incident detail:
We note the risks regarding your vulnerability to unauthorized access, computer viruses, and inadvertent disclosure of confidential information. Please disclose any significant instances of such events.
Interestingly, this is months in advance of the “new guidance”, and wound up with the firm responding concerning an apparent (to my reading) hardware failure representing less than a day’s revenue that there were no material incidents about which it was aware. [Update 10/18/2012: Link to and details of response corrected - link had inadvertently been to a different letter from the registrant to the SEC ]
As a third and final example, the SEC in this Comment Letter, takes specific note of a reported incident, stating:
We note that your Epsilon business was recently attacked by cyber-thieves. In your next quarterly report on Form 10-Q, ensure that you consider disclosing and quantifying any reasonably expected material impact on your liquidity, capital resources and/or results of operations from any currently known trends, events and uncertainties related to this incident.
This seems to be the SEC stating, prior to the written guidance, that a firm should consider possible material impacts from cyber incidents.
All in all, fascinating stuff for those of us who like details. Not to go to meta on this, but the existence of this information – almost literally a view into the thought processes of the regulators – is a boon to those of us who need to know what’s happening at layers 8 and 9 of the extended OSI stack.