SEC Calls for Cohesive Incident Response and Reporting

Friday, December 09, 2011

Steven Fox, CISSP, QSA


The impact of security breaches on Sony Corporation’s stock price has stimulated discussion as to the review of corporate security incidents in the investment decision process.

In response to this incident and others like it, the Securities and Exchange Commission (SEC) has released guidance for the disclosure of security incident risk in corporate investor communications.

This guidance is designed to “elicit disclosure of timely, comprehensive, and accurate information about risks and events that a reasonable investor would consider important to an investment decision,” including those related to information security breaches.

Such disclosures are justified by existing SEC regulations that require companies to disclose information on the company, the securities discussed in the prospectus, company management, and the financial statement. These may include the following:

  • Business and operational details associated with identified risks and potential impact of incidents.
  • A summary of the company’s risk management approach and incident response plan.


This guidance encourages organizations to evaluate the extent to which their operations may be impacted by a compromised information assurance (IA) function or a breach of information security. Companies will need to perform a risk assessment of the systems that support their products/services.

This assessment should consider incident history to determine trends that may impact their exposure to future incidents. Additionally, the efficacy of their risk management investments should be examined. This analysis should include any service providers that impact the subject of the investment.

The role of the IA team rarely gets press or impacts the perception of a company’s brand until an incident occurs. It is often seen as a cost center necessary to secure corporate and customer information, not as a contributor to its value proposition.

The creation of a comprehensive prospectus is an opportunity for the IA function and the business stakeholders to communicate effectively. The business team must describe the value they deliver to their target market. The IA team must describe how their knowledge and experience supports this mission.

This team will be challenged to frame the technical details of an incident in the context of operational and strategic business impact. Their recommendations must supply business leaders with compelling metrics that support post-breach control investments.

Implementation of an organizational Computer Incident Response Team is the cornerstone of a consistent, managed, measured reaction to a security breach. I urge companies to staff this team with representatives from all business units that have a stake in incident management.

At minimum it should include a representative from the legal department, a communications officer, a manager empowered to make decisions on behalf of the company, and the IT incident response manager. This team should be focused on responding to attacks on company assets and by extension its brand.

We can no longer afford the cultural schism between the server room and the boardroom. Cyber miscreants attack both camps with increasing sophistication, waiting for the proverbial house to fall. Some of these techniques have been mentioned on the @McAfeeBusiness feed and discussed on the Security Connected blog.

The SEC has made the clarion call for us to band together to frustrate the attackers while validating the trust placed on us by investors. Will you heed the call?

Cross-posted from the McAfee Security Connected blog

Possibly Related Articles:
Information Security
Compliance Enterprise Security Incident Response Guidelines SEC Mandatory Reporting Investors information assurance
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.