Yes it is; bad news doesn’t always go away. In this morning’s e-mail updates for us corporate lawyers, two depressing items:
First, the PCAOB (the agency overseeing the accounting for public companies) reported remarks on Friday from its deputy director for technology to the effect that companies “face hundreds, if not thousands of attempts to break into their systems on a daily basis….” In the face of this onslaught, PCAOB is working on defining how audit teams should go about assessing the magnitude of cyber risk and defining acceptable governance policies. (Once this gets sorted out, expect the same CPA approaches to be applied to private company audits also.)
And today the SEC’s director of Corporate Finance (they pass on registration statement disclosure) announced that the staff is “looking closely” at cyber risk disclosure. One focus is internal controls, to deal with response to a hack; are procedures in place to bring the data upstream to disclosure experts and general counsel?
On a less procedural note, the SEC speculated that companies might want to restrict trading in its shares by officers and directors when a hack is identified and material. If a company were to take such a step, seems to me, they would have to make a public disclosure of that event, which might accelerate in some cases the reporting of data breaches; much criticism has been leveled at the dilatory pace at which some companies have announced material breaches. Such an acceleration would put great pressure on the early determination of a hack’s “materiality,” a concept in the securities laws which does have an accepted definition but in reality, much like the Supreme Court view of pornography: can’t define it but I darn well know it when I see it.