Homeland Security Watch

News and analysis of critical issues in homeland security

August 1, 2006

Private-sector security: a stronger role for SEC disclosure?

Filed under: Infrastructure Protection,Risk Assessment — by Christian Beckner on August 1, 2006

The Center for American Progress released a very innovative, thought-provoking report last week entitled “New Strategies to Protect America: A Market-Based Approach to Private Sector Security” by Robert Housman and Timothy Olson. The report proposes using strong SEC disclosure regarding homeland security as a market-based means to drive companies to make appropriate internal security investments. It summarizes the state of homeland security-related disclosure today, and looks at how existing SEC regulations (incl. Sarbanes-Oxley) could be leveraged to improve the quality of homeland security disclosure. The report argues that enhanced disclosure would be useful information to shareholders, would not impose an undue burden on companies, and would not “tip off” terrorists to the state of a company’s defenses. The authors readily acknowledge that this proposal is not a panacea, but make a strong case that it would be much better than the status quo, where companies in many sectors are willfully ignoring the need to invest in security:

Some companies are already opting not to know. Many companies have not conducted top-to-bottom security assessments, or audits, because they are concerned that such a review will bring to light serious security shortcomings. These companies fear that once they are aware of such shortcomings they will either have to spend vast amounts of money to fix them, or risk serious liabilities for willful negligence if something bad happens to the company. This is the proverbial “Ostrich Problem.”

In fact, the decision not to know, and the resulting ignorance, actually offers companies little protection. There is ample legal precedent that willful blindness is not a shield against liability—in either shareholder derivative actions or liability lawsuits. A market-based, disclosure regime will function best if companies are positively encouraged to analyze and fully understand their risks and the effectiveness of their security systems, and can then communicate such information to the market.

Overall, a very solid & balanced report, one that deserves further deliberation in Congress and at the SEC.

Share and Enjoy:
  • Digg
  • Reddit
  • Facebook
  • Yahoo! Buzz
  • Google Bookmarks
  • email
  • Print
  • LinkedIn

1 Comment »

Comment by William R. Cumming

August 1, 2006 @ 4:54 am

The real problem in “Business Continuity” is that most businesses realize that the costs of physical and cyber security and backup systems affect the bottom line. Better to let someone else worry about it or hope it won’t happen to them while on watch. We faced this in the governmental sector all the time. A recent example. IRS HQ’s at 1111 Constitution is not usable for up to a year and IRS had no COOP plan or business continuity plan and was recently flooded out during an unusal rainstorm. I guess we really weren’t prepared for nuclear warfare afterall. An excellent free publication is available quarterly the Disaster Recovery Journal. Oddly enough firms have gotten interested in disaster recovery and business continuity to make this a highly profitable business sector. After all business interruption insurance is scarce and casualty loss provisions of the Internal Revenue Code really don’t adequately address lost revenue streams.

RSS feed for comments on this post. TrackBack URI

Leave a comment

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>