Ignore the SEC’s Strengthened Stance on Cybersecurity At Your Own PerilManaging Director of Marsh Cyber Risk Consulting
With constantly changing technology, integrated core business processes, and connected devices now pervasive, the threat and impact of cyberattacks are higher than ever. Attackers—whether individuals or nation-states—are becoming more astute, putting pressure on companies to take immediate action to protect their assets from potentially imminent breaches.
According to the recently released Global Risks Report 2019, business leaders in advanced economies rank cyberattacks among their top concerns. A large-magnitude attack can destroy a company’s fiscal well-being and have a ripple effect on the economy.
The SEC Strengthens Its Stance
Cybersecurity has, for several years, been high on the agenda of the U.S. Securities and Exchange Commission (SEC), and in 2011, the Commission’s Division of Corporate Finance issued guidance, calling on companies to assess their disclosure obligations with regard to their cybersecurity risks and cyber incidents.
While this was a good starting point, it became apparent that it didn’t go far enough in terms of laying out the expectations for both proactive and reactive cyber-risk management.
In 2018, the SEC unanimously approved new interpretative guidance, which outlines requirements for publicly traded companies to disclose cybersecurity risks and material incidents. It underscores that cyber poses “grave threats to investors,” the markets, and the country.
In a statement, SEC Chair Jay Clayton urged public companies, “to examine their controls and procedures,” not solely to conform with securities law disclosure obligations, but also to keep in mind financial and reputational considerations. The guidance focuses on the following core areas:
Pre-incident disclosure: The SEC calls for transparency around the identification, quantification, and management of cyber risk across an organization. As technology evolves, an organization’s attack surface expands, especially as more connected devices are added to networks and reliance on an expansive supply chain evolves. Companies are required to set the stage for the quick identification and management of cyber incidents that have a material impact on their business.
Board oversight: The days when the board simply wrote a check to cover cybersecurity challenges are over. Instead, it is the board’s responsibility to understand that risk, quantify it, and oversee it. The SEC advises companies to disclose, as part of their proxy statement, the board’s role and engagement in cyber risk oversight and notes that the discussion “should include the nature of the board’s role in overseeing the management of [cyber] risk.” As a former chief information security officer, I understand the challenges in articulating the right messages to the board. However, to meet with the SEC guidance, board members have to be privy to the company’s overall cyber exposures, integrating this insight as part of their 360-degree view of the company’s risks.
The number and magnitude of breaches have heightened investor expectations and regulatory oversight of industry cyber-risk management practices.
Incident disclosure: The SEC requires companies to “inform investors about material cybersecurity risks and incidents in a timely fashion.” This requires having structures in place to identify and quantify cyber-risk exposure, allowing the organization to rapidly determine whether a cyber breach was, in fact, material, thus requiring transparency to investors and shareholders. One preliminary step is to establish which technology assets and suppliers hold proprietary and confidential data, such as customers’ personal details or strategic business information. This insight can also inform decisions on the organization’s cyber-risk management strategy, that is, whether to manage or transfer a specific risk.
Controls and procedures: Companies are expected to assess whether their enterprise-wide risk management process is sufficient to safeguard the organization from cyber disasters. With a constantly evolving attack surface, there needs to be ongoing due diligence to identify and manage new risks, especially during a merger or acquisition. Most companies have long been doing this when it comes to other perils, for example, natural disasters, and it is imperative to extend the same process to cyber.
Insider trading: In a topic that is new to the 2018 guidance, the SEC “reminds” companies, directors, officers, and other insiders of insider trading prohibitions. In practice, this means that directors, officers, and other executives who are aware of a company’s cyber vulnerabilities or a breach could be liable if they sell company stock, or instruct anyone else to do so, before such a breach or vulnerability is divulged.
Heightened Enforcement Action
Companies that do not abide by the SEC’s recommendations can face enforcement action. Last year, the SEC levied a $35 million penalty against Altaba, (formerly Yahoo!), after charging the company with failing to disclose one of the world’s largest data breaches, which was identified in 2014 and during which personal data related to hundreds of millions of user accounts was stolen.
While there haven’t been other cyber disclosure enforcement actions, a 2018 SEC investigation into nine public companies that fell victim to business email compromise found that their internal accounting controls might have been insufficient. It stressed the need for companies’ internal accounting controls to be attuned to the risk of cyber fraud, with procedures in place geared to identify and stop such incidents.
Although the commission decided not to pursue an enforcement action, these investigative findings should serve as a warning to companies.
Mounting Pressure Makes Increased Regulation Likely
The number and magnitude of breaches have heightened congressional inquiries, investor expectations, and regulatory oversight across the industry’s cyber-risk management practices. The culmination of these pressures will likely translate into the intensified application of cyber-risk management expectations by the SEC and other regulatory bodies.
This will require organizations to develop processes to continuously quantify and manage their cyber-risk exposure, establish effective top-down oversight, relentlessly plan for cyberattacks, prepare for disclosures, and adjust defenses accordingly.