The SEC has issued Gudiance on corporare disclosure of material cyber risks and attacks. A front page article in today’s Washington Post, however, raises concerns that there could be circumstances in which companies may not be able to disclose materials known facts about their cybersecurity. Although it is not clear whether any federal contractors were even involved in the theft of information about weapons systems, it is possible that even if one or more publicly traded companies, were involved, they may prohibited by federal law from disclosing the matter. The Post article explained that the information about the cyber-theft was contained in “a confidential report….”
What needs to be clarified by the SEC is a company’s duty to report cyber-incidents and threats that the firm is obligated by binding agreement to keep confidential. If material information regarding a company’s cyber vulnerability or related matter is withheld from SEC disclosure because of legal confidentiality obligations, what happens if the information is eventually made public, as in the case of the Washington Post article? Could the firm be liable to SEC for breaching reporting duties? Could the Plaintiff’s Bar use the disclosure to sue companies for obeying security confidentiality directives? It is incumbent on the SEC to address the matter through a transparent public process.