The U.S. Securities and Exchange Commission (SEC) issued new guidance for public companies to be more forthcoming when disclosing cybersecurity risks, expanding on previous guidance issued in 2011. In addition to warning corporate insiders not to trade shares when they have information about cybersecurity issues that isn’t public, the guidance advised that internal or law enforcement investigations cannot be used as an excuse for not informing the public. The unanimously approved guidance, was published as “interpretive guidance,” which the SEC uses to publish their views and interpret the federal securities laws and SEC regulations.
The 24-page guidance, provides some clear insight and required actions for public companies to ensure compliance with the new guidance. The full document can be found here: 24-page SEC guidance
A clear takeaway from the guidance is that a company’s directors, officers, and other persons responsible for developing and overseeing such controls and procedures are informed about the cybersecurity risks. While this seems like an obvious statement you might ask yourself if this information is flowing beyond the CIO or CISO.
Do you have a documented, repeatable process for informing company directors and officers of such risks or is it ad-hoc and on demand when cybersecurity put on the board agenda as a topic of discussion? One way to be ready for these ad-hoc requests and ideally help the company mature to something more formal is to contract with a 3rd party to execute a comprehensive cybersecurity risk assessment.
Assessments have earned a bad name as they often become shelf-ware that never see the light of day outside of the IT organization. Done correctly these assessments should be the foundation for board level briefings and based on a solid framework like the NIST Cybersecurity Framework. The right vendor will align the assessment with all relevant regulatory requirements or guidance in addition to the framework and provide you with a comprehensive and quantifiable view of your cybersecurity risk.
For more information on information on how to leverage an assessment that can be transformative for your organization, and enable you to comply with SEC guidance, read this blog post: https://cybersheath.com/are-security-assessments-of-any-value/
Getting back to the recent SEC guidance, it states that “Given the frequency, magnitude and cost of cybersecurity incidents, the Commission believes that it is critical that public companies take all required actions to inform investors about material cybersecurity risks and incidents in a timely fashion, including those companies that are subject to material cybersecurity risks but may not yet have been the target of a cyber-attack.”
The “risks” or “negative consequences” highlighted in the SEC guidance included:
- Remediation costs;
- Increased cybersecurity protection costs;
- Lost revenues resulting from the unauthorized use of proprietary information or the failure to retain or attract customers following an attack;
- Litigation and legal risks, including regulatory actions by state and federal
- governmental authorities and non-U.S. authorities;
- Increased insurance premiums;
- Reputational damage that adversely affects customer or investor confidence;
- Damage to the company’s competitiveness, stock price, and long-term shareholder value.
The Commission stated that it is critical for public companies to take all required actions to inform investors about material cybersecurity risks and incidents in a timely fashion, including those companies that are subject to material cybersecurity risks but may not yet have been the target of a cyber-attack.
Given that every company should reasonably assume material risk related to cybersecurity and may or may not have yet been the target of a cyber-attack it’s clear that no public company escapes the guidance.
The SEC guidance encourages disclosure controls and procedures to provide a method for understanding the impact that cybersecurity risks and incidents have on the company in addition to a protocol to determine the potential materiality of such risks and incidents.
The SEC describes effective disclosure controls and procedures “as best achieved when a company’s directors, officers, and other persons responsible for developing and overseeing such controls and procedures are informed about the cybersecurity risks and incidents that the company has faced or is likely to face.”
The following issues were highlighted as important when evaluating cybersecurity risk for disclosure:
- The occurrence of prior cybersecurity incidents, including their severity and frequency;
- The probability of the occurrence and potential magnitude of cybersecurity incidents;
- The adequacy of preventative actions taken to reduce cybersecurity risks and the associated costs, including, if appropriate, discussing the limits of the company’s ability to prevent or mitigate certain cybersecurity risks;
- The aspects of the company’s business and operations that give rise to material cybersecurity risks and the potential costs and consequences of such risks, including industry-specific risks and third-party supplier and service provider risks;
- The costs associated with maintaining cybersecurity protections, including, if applicable, insurance coverage relating to cybersecurity incidents or payments to service providers;
- The potential for reputational harm;
- Existing or pending laws and regulations that may affect the requirements to which companies are subject relating to cybersecurity and the associated costs to companies; and
- Litigation, regulatory investigation, and remediation costs associated with cybersecurity incidents.
As the regulatory drumbeat continues to gain steam, albeit slowly, companies have an opportunity to be proactive in educating their company directors and officers about cybersecurity risk. Start with an assessment and build the foundation for a documented, repeatable way to meet your obligations.
If you need help understanding the latest SEC guidance and are interested in a cybersecurity assessment that can transform your organization, contact us.