SEC Guidance on Public Company Cybersecurity Disclosures

By Eric Noonan • April 6, 2018

The U.S. Securities and Exchange Commission (SEC)  issued new guidance for public companies to be more forthcoming when disclosing cybersecurity risks, expanding on previous guidance issued in 2011. In addition to warning corporate insiders not to trade shares when they have information about cybersecurity issues that isn’t public, the guidance advised that internal or law enforcement investigations cannot be used as an excuse for not informing the public. The unanimously approved guidance, was published as “interpretive guidance,” which the SEC uses to publish their views and interpret the federal securities laws and SEC regulations.

The 24-page guidance, provides some clear insight and required actions for public companies to ensure compliance with the new guidance. The full document can be found here: https://www.sec.gov/rules/interp/2018/33-10459.pdf

A clear takeaway from the guidance is that a company’s directors, officers, and other persons responsible for developing and overseeing such controls and procedures are informed about the cybersecurity risks. While this seems like an obvious statement you might ask yourself if this information is flowing beyond the CIO or CISO.

Do you have a documented, repeatable process for informing company directors and officers of such risks or is it ad-hoc and on demand when cybersecurity put on the board agenda as a topic of discussion? One way to be ready for these ad-hoc requests and ideally help the company mature to something more formal is to contract with a 3rd party to execute a comprehensive cybersecurity risk assessment.

Assessments have earned a bad name as they often become shelf-ware that never see the light of day outside of the IT organization. Done correctly these assessments should be the foundation for board level briefings and based on a solid framework like the NIST Cybersecurity Framework. The right vendor will align the assessment with all relevant regulatory requirements or guidance in addition to the framework and provide you with a comprehensive and quantifiable view of your cybersecurity risk.

For more information on information on how to leverage an assessment that can be transformative for your organization, and enable you to comply with SEC guidance, read this blog post: http://www.cybersheath.com/are-security-assessments-of-any-value/

Getting back to the recent SEC guidance, it states that “Given the frequency, magnitude and cost of cybersecurity incidents, the Commission believes that it is critical that public companies take all required actions to inform investors about material cybersecurity risks and incidents in a timely fashion, including those companies that are subject to material cybersecurity risks but may not yet have been the target of a cyber-attack.”

The “risks” or “negative consequences” highlighted in the SEC guidance included:

  • Remediation costs;
  • Increased cybersecurity protection costs;
  • Lost revenues resulting from the unauthorized use of proprietary information or the failure to retain or attract customers following an attack;
  • Litigation and legal risks, including regulatory actions by state and federal
  • governmental authorities and non-U.S. authorities;
  • Increased insurance premiums;
  • Reputational damage that adversely affects customer or investor confidence;
  • Damage to the company’s competitiveness, stock price, and long-term shareholder value.

The Commission stated that it is critical for public companies to take all required actions to inform investors about material cybersecurity risks and incidents in a timely fashion, including those companies that are subject to material cybersecurity risks but may not yet have been the target of a cyber-attack.

Given that every company should reasonably assume material risk related to cybersecurity and may or may not have yet been the target of a cyber-attack it’s clear that no public company escapes the guidance.

The SEC guidance encourages disclosure controls and procedures to provide a method for understanding the impact that cybersecurity risks and incidents have on the company in addition to a protocol to determine the potential materiality of such risks and incidents.

The SEC describes effective disclosure controls and procedures “as best achieved when a company’s directors, officers, and other persons responsible for developing and overseeing such controls and procedures are informed about the cybersecurity risks and incidents that the company has faced or is likely to face.”

The following issues were highlighted as important when evaluating cybersecurity risk for disclosure:

  • The occurrence of prior cybersecurity incidents, including their severity and frequency;
  • The probability of the occurrence and potential magnitude of cybersecurity incidents;
  • The adequacy of preventative actions taken to reduce cybersecurity risks and the associated costs, including, if appropriate, discussing the limits of the company’s ability to prevent or mitigate certain cybersecurity risks;
  • The aspects of the company’s business and operations that give rise to material cybersecurity risks and the potential costs and consequences of such risks, including industry-specific risks and third-party supplier and service provider risks;
  • The costs associated with maintaining cybersecurity protections, including, if applicable, insurance coverage relating to cybersecurity incidents or payments to service providers;
  • The potential for reputational harm;
  • Existing or pending laws and regulations that may affect the requirements to which companies are subject relating to cybersecurity and the associated costs to companies; and
  • Litigation, regulatory investigation, and remediation costs associated with cybersecurity incidents.

As the regulatory drumbeat continues to gain steam, albeit slowly, companies have an opportunity to be proactive in educating their company directors and officers about cybersecurity risk. Start with an assessment and build the foundation for a documented, repeatable way to meet your obligations.

If you need help understanding the latest SEC guidance and are interested in a cybersecurity assessment that can transform your organization, contact us.

CyberSheath Blog

Dr. Robert Spalding to Address Nation-State Attacks at CMMC Con 2021

Since the inaugural CMMC Con, we’ve seen some of the most malicious attacks on American infrastructure ever executed. The SolarWinds attack reverberated across the entire government as agencies scrambled to discover what nation-state attackers had accessed and stolen. The Colonial Pipeline, shut down by a ransomware attack, led to fuel…

CMMC-AB vice chair Jeff Dalton to address CMMC Con 2021

The swiftness and severity of recent cyber attacks has dominated headlines and revealed that many organizations still don’t quite know what to do to protect themselves, as well as the businesses and government entities they’re connected to.   Ransomware attacks were a big point of discussion at the recent G7…

CMMC Con 2021 Opens Registration, Reveals Theme and Speakers

CMMC compliance stands in the way of revenue for every defense contractor in the supply chain. Now that CMMC is a reality for the Defense Industrial Base (DIB), learn how contractors — primes and subs, large and small, foreign-owned — are handling the standards and requirements, as well as the…

Our Trusted Partners

Cyberark McAfee Thycotic RSA Tenable Alien Vault Alert Logic Microsoft

CMMC Con 2021 is here! Save your spot to hear the latest on CMMC from our expert speakers across the government and Defense Industrial Base.