I ran across an intriguing paper, New Strategies to Protect America: A Market-Based Approach to Private Sector Security. This report suggests that if SEC regulations were a bit more specific, it could compel private sector companies to disclose their critical infrastructure vulnerabilities and whatever protections they have put in place. The idea is that this information would give shareholders better information on which to base investment decisions. Those companies better protected against attack would be more attractive to investors. On the other hand, as the report notes, “companies that more fully discuss security risks may be hurt by their disclosures vis-à -vis competitors who take it less seriously, incentives are turned on their head. Markets could punish the most secure companies.†Still, it’s an idea worth considering.
The report makes its argument by citing a few examples from about a dozen industries (transportation, chemical, hospitals, real estate energy and even iconic – Disney and McDonald’s). It cites Microsoft as a good example, showing how low the bar is set:
Generally speaking, Microsoft’s SEC disclosures inform investors that terrorism may impact the market for its goods and services. The company notes that a terrorist attack could materially disrupt its own operations and that cyber attacks are likely to continue. In that sense, Microsoft’s disclosure is one of the best examples now provided to investors. Its discussion underscores the specific threat to the company; what impact attacks could have; and what the company is doing to protect itself and its investors. At the same time, in light of the billions in damages caused by cyber-attacks to date, they seem to materially understate potential risks.
The report also makes the point that corporate executives can’t hide behind ignorance, where security is concerned, because it has a clear financial impact on the company.
Given the clear link between homeland and economic security, Sarbanes-Oxley should put companies on notice that they should support their homeland security disclosure decisions with an internal procedure for identifying, quantifying and assessing the materiality of these issues. Management needs to be informed about and engaged in corporate homeland security decisions. A failure to properly disclose corporate homeland security matters can result in real consequences for senior management.
And from the conclusion:
Terrorist organizations clearly have an on-going intention to attack our homeland by attacking our economy via our critical infrastructure. At the same time, there are strong indications that America’s corporate sector is slipping back into complacency on matters of security. From a shareholder’s standpoint, the security of an investment is substantially linked to the corporate security performance of the company and homeland security more broadly. The nation has a vital interest in encouraging—if not directly requiring—companies to do more to protect themselves and our critical infrastructure.
View Comments
There are currently no comments to display.
Post a Comment
To post a comment, you must be a registered user of FCW.com and be logged in. Use one of the forms below to login or register for FREE to FCW.com. To protect your privacy, you can use an alias as your username.
