Cybersecurity Disclosures: A Three Step Strategy for Compliance with the New SEC Guidance
Against a background of growing investor concern and pressure from legislators, the Securities and Exchange Commission (SEC) is leading the drive for more open and timely disclosure of cybersecurity risks and incidents from public companies. Earlier this year, it challenged Amazon’s decision not to disclose the financial impact of the theft of customer data held by its subsidiary Zappos in the company’s annual report. In the view of the SEC, Amazon failed to comply with rules incorporated in the Securities Act of 1933 and Securities Exchange Act of 1934 which require “disclosure of timely, comprehensive, and accurate information about risks and events that a reasonable investor would consider important to an investment decision” (SEC). These rules were clarified by the SEC in guidance on disclosure obligations related to cybersecurity risks and incidents, issued in October last year.
The guidance is based on a broad definition of cybersecurity which is seen as a body of technologies, processes and practices designed to protect networks, systems, computers, programs and data from attack, damage or unauthorized access. It includes attacks and breaches caused by both insiders and third parties. Therefore, incidents such as the theft of proprietary software by an employee at Goldman Sachs in 2009 would fall into scope of the disclosure requirements.
According to the guidance, incidents include not just deliberate attacks, but breaches and losses resulting from unintentional events. In addition to attacks designed to misappropriate financial assets and intellectual property or other sensitive information, it includes Denial-of-Service (DoS) attacks targeted at disrupting operations.
The guidance requires public companies to disclose the risk of cyber incidents if these issues are among the most significant factors that make an investment in the company speculative or risky. In order to comply with this requirement, registrants are expected to evaluate the likelihood and impact of a material incident arising from a breach or failure in their information systems and infrastructure. The assessment should take into account factors such as the value of information contained in applications and systems, the degree to which the fiscal health of a company is tied to the confidentiality, integrity and availability of such information and technology in general, known vulnerabilities, prior security incidents, the financial and reputational impact arising from an incident, and the strength of preventative controls. Based on such an evaluation, a company is required to disclose material cybersecurity risks in the 10-K annual report provided to the SEC which is made available to investors and the general public. Such disclosures are often buried within the section related to risk factors in the 10-K. However, registrants are obliged to discuss material risks within the Managements Discussion and Analysis (MD&A), an area more widely read by investors. The SEC provides some leeway on the extent of information registrants should disclose, recognizing that too much disclosure could be exploited by malicious groups and compromise security efforts.
An inventory of mission-critical or information-rich systems within most publically-listed organisations often reveals a suite of SAP applications supporting everything from sales and distribution, purchasing, financial reporting and human resource management, as well as more industry-specific areas. Invariably, these applications are powered by the SAP NetWeaver Application Server (AS), a platform used to develop programs, manage database, operating system and network connections, link together SAP and non-SAP applications, and a myriad of other administrative tasks. The NetWeaver AS is a complex, Web-enabled area of SAP that is vulnerable to a variety of internal and external attacks. These vulnerabilities are widely known and include various forms of injection, cross-site scripting, session hijacking, DoS, and other attacks. Therefore, when reviewing the strength of preventative controls in SAP systems to determine whether there exists a material cybersecurity risk that requires disclosure, companies should closely review the configuration of the NetWeaver AS. Misconfigurations in this area could create vulnerabilities that can be exploited by insiders and outsiders to embezzle assets, leak information including intellectual property, corrupt data or disrupt operations.
Securely configuring the NetWeaver AS should be the first step in a three pronged strategy aimed at managing cybersecurity risks in SAP systems. When combined with appropriate access controls and technical settings at the application level, companies running SAP applications will greatly reduce the likelihood of material risks in their SAP environments that may require disclosure.
SAP has issued a number of recommendations to help customers configure the Netweaver AS. These recommendations can be found in the whitepapers Secure Configuration of SAP NetWeaver Application Server using ABAP and Protecting SAP Applications Based on Java and ABAP Against Common Attacks. They include regular monitoring of the security configuration of the NetWeaver AS which can be met through vulnerability assessments performed by Layer Seven Security. The assessments leverage software certified by SAP and detect over 400 vulnerabilities in components of NetWeaver Application Servers, the foundation of SAP applications. To learn more, visit our services page or call 1-888-995-0993 to connect with one of our SAP security consultants.