The Security Blog

With the US economy in danger in 1933, almost 100 years ago, two laws were passed to perform important tasks.  On the one hand, to calm and reassure a desperate public that future investments by themselves should be into fully risk-transparent companies; and on the other to demand that companies which collect money from the public, will fully assess, investigate, mitigate and disclose such risks.

These laws, called the “The Securities Act of 1933″  and “The Securities Exchange Act of 1934″ , set minimum thresholds for many practices, including the disclosure of all forms of risk.  Arguably, the most visible effect of these laws was the creation of the Securities and Exchanges Commission, or, for short, the SEC.

While the disclosure of risk was always mandated by these laws, as you can see below, there was never a direct call to disclose ‘cyber’ (or information security) risks. (Regulation S-K 503 (c) ).

Risk factors. Where appropriate, provide under the caption “Risk Factors” a discussion of the most significant factors that make the offering speculative or risky. This discussion must be concise and organized logically. Do not present risks that could apply to any issuer or any offering. Explain how the risk affects the issuer or the securities being offered. Set forth each risk factor under a subcaption that adequately describes the risk. The risk factor discussion must immediately follow the summary section. … The risk factors may include, among other things, the following:

1. Your lack of an operating history;
2. Your lack of profitable operations in recent periods;
3. Your financial position;
4. Your business or proposed business; or
5. The lack of a market for your common equity securities or securities convertible into or exercisable for common equity securities.

In fact, due to the SEC’s demands, since 2005, if disclosing information security risk *at all*,  some companies chose to put in the annual 10-K and quarterly 10-Q forms a ‘boilerplate’ template stating something like:

Failure of an information system or a compromise of security of an information system could adversely affect our results of operations and financial reporting

That should now change.

In October 2011ce, the SEC’s Division of Corporate Finance issued a Disclosure Guidance (available at the SEC site) ‘suggesting’ (in fact requiring, or adding liability if someone doesn’t follow) a far more detailed and comprehensive discussion of information security risks.

In the next blog entry, I will discuss, analyze, and explain my views of this Guidance, as an Information Security Risk professional.

Note:  I am not an attorney and this blog does not intend to represent legal advice.  For legal advice, consult an attorney.

As I mentioned yesterday, here is the Special Annex to the Pubilc report issued by the International Atomic Energy Agency (IAEA) about Iran: Possible Military Dimensions to Iran’s Nuclear Programme

ANNEX

Possible Military Dimensions to Iran’s Nuclear Programme

1. This Annex consists of three Sections: Section A, which provides an historical overview of the Agency’s efforts to resolve questions about the scope and nature of Iran’s nuclear programme, in particular regarding concerns about possible military dimensions; Section B, which provides a general description of the sources of information available to the Agency and its assessment of the credibility of that information; and Section C, which reflects the Agency’s analysis of the information available to it in the context of relevant indicators of the existence or development of processes associated with nuclear-related activities, including weaponization.

A. Historical Overview

2. Since late 2002, the Director General has reported to the Board of Governors on the Agency’s concerns about the nature of Iran’s nuclear programme. Such concerns coincided with the appearance in open sources of information which indicated that Iran was building a large underground nuclear related facility at Natanz and a heavy water production plant at Arak.¹

3. Between 2003 and 2004, the Agency confirmed a number of significant failures on the part of Iran to meet its obligations under its Safeguards Agreement with respect to the reporting of nuclear material, the processing and use of undeclared nuclear material and the failure to declare facilities where the nuclear material had been received, stored and processed.² Specifically, it was discovered that, as early as the late 1970s and early 1980s, and continuing into the 1990s and 2000s, Iran had used undeclared nuclear material for testing and experimentation in several uranium conversion, enrichment, fabrication and irradiation activities, including the separation of plutonium, at undeclared locations and facilities.³

4. In October 2003, Iran informed the Director General that it had adopted a policy of full disclosure and had decided to provide the Agency with a full picture of its nuclear activities.⁴ Following that announcement, Iran granted the Agency access to locations the Agency requested to visit, provided information and clarifications in relation to the origin of imported equipment and components and made individuals available for interviews. It also continued to implement the modified Code 3.1 of the Subsidiary Arrangements General Part, to which it agreed in February 2003, which provides for the submission of design information on new nuclear facilities as soon as the decision to construct or to authorize construction of such a facility is taken.⁵ In November 2003, Iran announced its intention to sign an Additional Protocol to its Safeguards Agreement (which it did in December 2003 following Board approval of the text), and that, prior to its entry into force, Iran would act in accordance with the provisions of that Protocol.⁶

5. Between 2003 and early 2006, Iran submitted inventory change reports, provided design information with respect to facilities where the undeclared activities had taken place and made nuclear

1. GOV/2003/40, para. 3.
2. GOV/2003/40, para. 32; GOV/2003/75, para. 48; GOV/2004/83, paras 85–86; GOV/2005/67, para. 4.
3. GOV/2003/75, Annex 1; GOV/2004/83, paras 85–86.
4. GOV/2003/75, paras 13 and 15.
5. GOV/2003/40, para. 6. Iran stopped implementing the modified Code 3.1 in March 2007 (GOV/2007/22, para. 12).
6. GOV/2003/75, para. 18. The Additional Protocol was approved by the Board of Governors on 21 November 2003, and signed on behalf of Iran and the Agency on 18 December 2003 (GOV/2004/11, para. 5). In February 2006, Iran notified the Agency that it would no longer implement the provisions of the Additional Protocol (GOV/2006/15, para. 31).