A student once asked me what an article on Duties and Risks Related to Cyber-Extortion has in common with the other things I research. Previously, my answer was (paraphrasing the Brundtland Commission definition): “sustainability means thriving today in a way that lets us thrive in the future; anything that prevents that is unsustainable, so cybersecurity issues are relevant.” Today’s 1-word answer: materiality. Here’s what I mean and why this matters:
I was just catching-up on the SEC‘s guidance on materiality (what a reasonable investor would want to know before making a decision, which is the standard for deciding what publicly-traded companies must disclose), and came across commentary in the Washington Post by Senator Jay Rockefeller and Michael Chertoff supporting the SEC Division of Corporation Finance‘s views that risks and incidents related to cybersecurity should be disclosed.
The argument (essentially) is that it’s both in our collective self-interest and the best interest of investors for companies to publicly report on risks and incidents related to cybersecurity (for example, when the information system of a company is hacked and private information of clients is stolen). While the authors don’t explicitly elaborate, the reasoning is that companies manage more carefully issues about which they need to publicly report. That is the same argument that many have been making about risks and data related to societal and environmental issues. Several thousand organizations engage in sustainability reporting, including 95% of the Global Fortune 250. An important question, however, is whether more encouragement from governments (through laws, regulations, or guidance) of disclosure of societal and environmental impacts would be constructive.
The next time this topic comes up, let’s remember that the SEC and its divisions do encourage disclosures of non-financial data such as, in this instance, the security of information systems. Is it any less relevant, from a public policy perspective or to the self-interested investor, when a company amplifies or mitigates risks, costs, and harms related to issues ranging from use of coerced labor to the collapse of planetary life support systems? If we generally support government encouragement of disclosure in analogous situations (security of information systems), shouldn’t we also support more explicit government encouragement disclosing a broader array of societal and environmental risks and data?
Some of the themes of my upcoming articles will be (1) whether existing materiality standards already behoove disclosure of a wider range of societal and environmental impacts and (2) would more explicit and specific guidance from regulators be helpful and (3) that cooperation between regulated companies (most of whom already have expertise in disclosure of societal and environmental impacts) and regulators would both be the most efficient reaction on the part of executives and yield the best results.