Cyber security and data privacy remain a hot topic as Facebook prepares to go public today with its initial public offering. The IPO is priced at $38 a share, valuing Facebook at $104 billion, making it the biggest IPO for a U.S. technology firm. The social network company has about 900 million active monthly users and the site has received more than 400 billion page views this year in the U.S. alone.
Jeremiah Grossman, a world-renowned expert in Web security and co-founder of the Web Application Security Consortium, told me that Facebook will need to be even more concerned about cyber attacks since any type of attack might (temporarily) impact its stock price.
“Any information that may be gained surreptitiously from the website, or other systems, might provide insight into financial performance,” Grossman wrote to me.
He says that Facebook will have to be concerned with attacks, while attacker types and motivations will likely change. One of the biggest changes to becoming a public company is the need to report corporate hacking and to report cybersecurity risk. And this reporting structure and guidelines has recently changed. In the post, SEC Guidance Is a Really Big Deal, on the blog, TaoSecurity, Richard Bejtlich refers to the SEC Guidance as a “game changer.”
First of all, he writes, the SEC Guidance defines new reporting duties for companies, which means companies will have to revamp the way they define their digital risk, pre- and post-breach. That means no more boiler plate documents to fufill SEC regulations. Also, Bejtlich says the SEC language will encourage shareholder lawsuits against companies who believe boards didn’t disclose risks and actual breach details to investors. And lastly, the SEC language may prompt whistleblower reports from dissatisfied IT and security staff, writes Bejtlich. Apparently, the SEC Office of the Whistleblower, is preparing to pay whistleblowers to report the company they work for, if they feel the company isn’t treating security breaches appropriately.
Facebook has been facing these cyber security concerns head on. A Bloomberg Law Reports article says that “Facebook has set the bar for S-1 disclosure in the areas of cybersecurity and privacy risks.” It says the company has fully adopted the Cybersecurity Guidance and provides real-life examples of these risks and how it will disclose this information to investors.
It even takes it a step further and “discloses risks that are associated indirectly with cybersecurity and privacy concerns, such as unfavorable media coverage and potential reputational damage that could result from the failure to maintain adequate cybersecurity and privacy protection.”
What do you think? Will going public make Facebook more vulnerable and attractive to cyber attacks? How damaging could this be to its stock value?