The Securities and Exchange Commission recently voted unanimously to approve guidance to encourage public companies to provide disclosures to their investors about cybersecurity incidents they encounter and the risks they face as a result. So, what exactly are public companies required to disclose? Read on.

What do the new standards seek to achieve?

In a press release, SEC Chairman Jay Clayton announced that they are aiming to ensure that companies provide more complete information to investors about cyber risks and incidents. With this helpful information, investors can gather information on how much the cyber incident impacted the organization and its business, finances, operations and, of course, liability.

There has been a troubling pattern of company executives selling shares before publicly disclosing a known cybersecurity incident, which has also spurred the SEC’s heightened guidance.

What do companies have to do to prepare?

The main point of the updated SEC guidance is that there is a need for board directors and company executives to review their controls and procedures to ensure that the cybersecurity disclosure responsibilities are properly resolved.

Who is responsible for oversight?

The responsibility for overseeing the management of cyber risks falls directly on the shoulders of the board directors. The Board must ensure that the organization has appropriate disclosure controls and procedures in order to make “accurate and timely disclosures of material events”.

If your organization has a CISO, or Chief Information Security Officer, this person will need to step up and discern the impact of a cyber risk from a technical standpoint and potential materiality of these risks. In some cases this might involve increased collaboration and cooperation with chief risk officers (CROs) and CFOs.

In addition the SEC is urging companies to:

• Examine their controls and procedures (ex. securities law disclosure obligations, reputational considerations around sales of securities by executives)
• Conduct proper training during a period following an incident and prior to disclosing.

Potential penalties

SEC guidance makes it clear that if investors are kept in the dark about security incidents, companies can expect class action suits, and high scrutiny from the SEC.

Recent incident

The Equifax data breach exposed the personal data of almost 145.5 million Americans recently. Three Equifax executives allegedly sold shares worth a collective $2 million just days after the breach was discovered, but over a month before it was actually disclosed. Equifax lost nearly $4 billion in market value within just one week of the breach. That scandal reportedly resulted in a Department of Justice investigation, and an increased need for more vigilant cyber security practices and procedures.

But I’m not a publicly traded company, why should I care ?

As the SEC notes, the responsibility for Cyber security resides at the senior governance level of an organization; i.e. the Board of Directors or its equivalent. Even if you are privately held or, perhaps, a not-for-profit organization, this responsibility still exists. Also, history has taught us that other regulatory entities, at both the federal and state levels, will take their cue from SEC pronouncements. Finally, most state data privacy laws address the concepts relative to data security (which is really what cyber security is all about) that are contained in this guidance.

As we have shared before, cyber risk affects virtually every kind of enterprise, and it is not a matter of if, but when your organization will be attacked. The SEC’s action is a positive step towards creating accountability and transparency in the wake of destructive breaches like the one with which Equifax dealt. Interested in learning more about protecting your organization? Please reach out to me or any member of our Information Security Services Team.