In the wake of increasing major cyber security incidents—such as the recent Equifax data breach that affected about 140 million U.S. consumers— the Securities and Exchange Commission (SEC) issued its interpretive guidance on cybersecurity disclosures in late February. The guidance was highly anticipated within the business community, which had expected it to affirm and expand the cybersecurity disclosure guidance the staff of the SEC’s Division of Corporate Finance issued in 2011. Almost immediately, however, the guidance slammed into a buzz saw of criticism from the media for failing to institute any major changes the original guidance.
But what it lacks in expansion, it makes up for in affirmation. When rules and guidance such as these are staff-generated, there is a perception that SEC commissioners aren’t bound by those recommendations. With this guidance, the commissioners have now endorsed what the Division of Corporate Finance staff established seven years ago—giving it a sense of permanence.
Still, it wouldn’t be fair to say the new guidance lacks any significance. It strongly encourages companies to provide safeguards against insider trading before they disclose cybersecurity breaches and to ensure there are clear internal procedures in place to determine when a hack might be important to investors.
Essentially, the SEC understands that data breaches aren’t 100% preventable, and that companies have to take on a certain amount of risk in the interest of continuing to run and grow their business. But with this new guidance, it is mandating that companies fully disclose those risks to their shareholders.
SEC Chairman Jay Clayton said in a statement he released about the new guidance that, by releasing the commission’s views on these matters, companies will be more likely to provide clear and robust disclosures about their cybersecurity risks and incidents—and that will result in investors receiving more complete information. Clayton is urging “public companies to examine their controls and procedures, with not only their securities law disclosure obligations in mind, but also reputational considerations around sales of securities by executives.”
For U.S. companies, this means it’s more important than ever to reassess your current cyber risk analysis and management program and make sure you have a robust program in place. And if you don’t, it’s time to implement one.
While some companies may believe they already have a strong cybersecurity program, it’s easy to misinterpret what makes up a truly robust program that is compliant with the rules. A common misconception within companies is that they should focus on their industry’s self-regulatory standards.
For example, a health insurer that is fully compliant with the Health Insurance Portability and Accountability Act (HIPAA) or a retailer that has a rigorous Payment Card Industry Data Security Standard (PCI-DSS) compliance program may think they have met their overall obligations. But that’s far from the truth, and it’s important not to get caught in that trap. For example, while HIPAA and PCI-DSS compliance may protect health care and credit card data, critical sales and marketing plans could remain vulnerable to attack by disgruntled employees or unscrupulous competitors.
Creating and implementing a thorough cyber risk management program requires deep analysis, as well as involves all aspects of the company. It starts with empowering security professionals, such as chief security officers and chief information officers, to conduct an inventory of how they collect and use data—such as personal, financial and critical trade secrets information. They need to understand where that information is being stored and how it is shared with business partners. They also need to assess all the reasonably foreseeable threats to their data, including malicious outsider and insider attacks, as well as inadvertent and unintentional risks. How your business partners use and protect your data can have a dramatic effect on the reputation of your business.
Once a company has a clear understanding of all of its data and the universe of risks associated with that data, it should then reach out across all of its business units to assess what part of that information is most critical to each business unit’s success. Ask them honestly, “What information is most important to this department and would bring its wheels to a screeching halt if it were lost or compromised?”
With all of that information, a company will know the details about the data it’s using and what, within that data, is most critical to its business functions. At that point, it has the ability to analyze the threats and vulnerabilities associated with that data and clearly disclose those risks to shareholders, as part of its robust cyber risk management program.
As data breaches on massive scales continue to dominate the headlines, companies should be implementing these programs sooner than later.
We’re likely to hear more from the commissioners down the road. SEC Chairman Clayton said in his statement that there is no doubt that the cybersecurity landscape and the risks associated with it continue to evolve—and he is calling on the Division of Corporation Finance to continue to carefully monitor cybersecurity disclosures as part of its selective filing reviews. “We will continue to evaluate developments in this area and consider feedback about whether any further guidance or rules are needed,” he said.