Guest Post by Ed Perkins (first posted on CERM ® RISK INSIGHTS – reposted here with permission)
In an earlier post [1] we looked whether ‘plausible deniability’ was now a dead strategy in the face of enterprise risk management (ERM) and the likely impact of the US SEC (Securities and Exchange Commission) guidance [2] regarding disclosure obligations relating to operational and cybersecurity risks and cyber incidents. The SEC noted that “a number of disclosure requirements may impose an obligation on registrants to disclose such risks and incidents.
In addition, material information regarding cybersecurity risks and cyber incidents is required to be disclosed when necessary in order to make other required disclosures, in light of the circumstances under which they are made, not misleading. Therefore, as with other operational and financial risks, registrants should review, on an ongoing basis, the adequacy of their disclosure relating to cybersecurity risks and cyber incidents.” And not just incidents are to be included, but the risk factors themselves.
The bottom line is that there is now an expectation of higher standard of duty and care. The Federal Trade Commission (FTC) has also gotten in the act, under its authority to prevent “unfair or deceptive practices”, going after firms that fail to protect customer information. [3]
Well the lawyers have figured out how to preserve a semblance a plausible deniability in this era of ERM. Enter the “privileged and confidential” risk assessment. While firms are still required to disclose their ‘significant’ operational risks, they can also conduct ‘secret’ risk assessments that are protected from disclosure under the cover of attorney-client privilege. To do this, the organization retains an outside lawyer or law firm for ‘legal advice’; the advice consists of conducting a risk assessment of the organization’s operational and cyber risks and producing a risk report. This ‘secret’ report and any information on the risks uncovered by it fall under attorney-client privilege and thus would not be subject to disclosure, even in a court of law.
The organization will still have file its ‘public’ risk disclosures, but that can occur after the organization has mitigated any serious risks found in the privileged assessment, and conducted a follow-up risk assessment for release that is not under the veil of privilege.
[1] #11 – COVER YOUR ASSETS 101 AND PLAUSIBLE DENIABILITY – ED PERKINS
[2] SEC CF Disclosure Guidance: Topic No. 2 – Cybersecurity” http://www.sec.gov/divisions/corpfin/guidance/cfguidance-topic2.htm
[3] What CIOs Need to Know About the FTC Cybersecurity Ruling, WSJ – CIO Blog https://www.wsj.com/articles/BL-CIOB-7898
Leave a Reply