New guidance from the SEC on the topic of disclosing risks relating to breach information and cybersecurity has just been released. If all of the public breaches, Anonymous, and hacktivism have not elevated cybersecurity to the boardrooms of most organizations, this new guidance surely will, as it suggests that cyber incidents that have material effect on the organization should be disclosed as risks in financial documents.

This new guidance has company executive teams, CFO's, boards of directors, CEO's, and outside counsel and CPA firms scrambling to understand the impact. What's more, to have any hope of really complying with the guidance, companies will need to know early when their systems are penetrated, what sort of data is being compromised, and the impact of loss. Numerous industry studies suggest that most organizations aren't immediately aware when they have been breached- intrusions can go on for months or longer before being noticed. Figuring out what information has been compromised or stolen can take a long time. Determining if there's material impact to organization can take time as well.


The stakes have just gotten higher. The trickle down effect here will be that organizations will have to come to grips with cybersecurity incidents much faster, and they will have to understand the impact quickly. 

More than being reactive, however, organizations will need to engineer their defenses to fully protect sensitive and confidential information of the type that rises to the "materiality" threshold. For most organizations, there is a LOT of this information in their IT systems- IP, financial results, customer information, business plans, etc.

What does this have to do with SharePoint? Nothing, if you are not storing sensitive or confidential information on the platform. Everything if you are using SharePoint to store information of this sort, and you work for a public company. Encryption for this sensitive data is a good idea. If you are not sure if you're storing sensitive/confidential/regulated data in SharePoint, getting a grip on the content being stored by users in SharePoint sites is a great place to start. Keep a couple of things in mind, defense in depth should be your default design principle, and breaches hurt a whole lot less if the data that is compromised is encrypted. Most state data breach laws provide safe harbor for breaches involving encrypted data- no public notification is generally required.

The full SEC guidelines are accessible here:

http://www.sec.gov/divisions/corpfin/guidance/cfguidance-topic2.htm

JD