Consumers have become wary of data breaches and the decreased safety of their personal information. However, the cost of a data breach is no longer only a matter of money and your company’s good name. There is now a third critical reason to pay attention: the U.S. Securities and Exchange Commission — more commonly referred to as the SEC.

The SEC has begun to take aim at the business practices that can lead to breaches. So, what does the SEC’s involvement mean for cybersecurity professionals?

Why Is the SEC Involved in Data Breach Response?

You might think about the SEC in terms of stocks and the stock market. But it has a three-part mission: protect investors, facilitate capital formation and maintain fair, orderly and efficient markets.

To protect investors, the SEC works to make sure consumers are not investing their hard-earned money in a company’s stock based on false or misleading information. That might mean looking into falsified earning reports, but it also goes much deeper.

The SEC aims for transparency. So, they require each business to disclose all types of risk that can affect the company’s earnings and, in the end, the stock price. This process increases the odds that an investor has access to all the information about a company’s financial health.

The possible risks encompass much more than fraud; they can include everything from supply chain issues to natural disasters. The purpose is to share anything and everything that could possibly affect the financial future of the company.

This leads us right to the answer about why the SEC cares about cybersecurity. When a company faces a cybersecurity attack or event, it affects its revenue. According to the IBM Cost of a Data Breach Report 2021, the average cost of a ransomware attack (the costliest type of breach) is $4.62 million. And the average cost of the least costly type of data breach (breaches in hybrid cloud environments) is still very expensive, at $3.61 million.

What This Means for Revenue

This means cybersecurity practices play a large part in a company’s revenue. Even minor breaches result in severe losses. Most consumers never consider cybersecurity when deciding where to invest their money.

Very few cybersecurity issues develop because of a single poor decision or mistake. Instead, there are multiple choices and factors that lead to the vulnerabilities that allow a breach to happen.

The issue concerns the SEC because when an organization faces a major incident, the price of that company’s stock almost always goes down. But consumers don’t have cybersecurity-related information when they purchase company stock. So, they are making those purchasing decisions without key information. That can make their investment much riskier than they realize.

Why now? It’s simple. The costs of breaches are going up, which means the risk to investors is increasing.

The IBM Cost of a Data Breach Report 2021 found the cost of a breach increased 10% between 2020 and 2021. As you might expect, the increased number of people working from home was a factor. Breaches involving remote work cost $1.07 million more than other breaches.

Reputation is a bit harder to quantify. But the fact that 38% of the cost of a breach comes from lost business is notable.

What Is the SEC Doing About Cybersecurity Risks and Incidents?

The SEC is leveraging fines to companies with poor cybersecurity practices more and more.

In July 2021, the SEC settled with Pearson Plc, a London-based public educational publishing company. Pearson agreed to pay $1 million in response to charges of misleading investors regarding a 2018 breach, which involved the theft of millions of student records, including dates of birth and email addresses. The SEC’s stance was that Pearson did not have good enough disclosure controls and procedures.

And Pearson isn’t the only case like this. In August 2021, the SEC announced actions against eight financial firms for failures in their cybersecurity procedures and policies. Each of the companies had email account takeovers that caused exposure of client personal information, and the settlements ranged between $200,000 and $300,000 for each company. Experts agree that these are likely just the beginning. They are a signal that the SEC is now focusing on the risks cybersecurity issues pose to investors.

How to Avoid SEC Fines After a Data Breach

Harvard Business Review’s article on this subject is right on the money. First, create a committee for disclosure to conduct quarterly surveys to uncover everything that needs to be disclosed.

Secondly, disclose early. In a past case, the SEC ruled that six months was too long. Companies should take action as soon as possible. Along those lines, HBR gave further guidance that companies should disclose they understand the full scope of the breach.

The final two suggestions — conduct forensic assessments and build visibility into your assets — provide practical advice. They can guide you to create a process that makes it easy to quickly and accurately disclose cybersecurity issues.

Let the SEC’s Data Breach Response Increase Your Cybersecurity Funding

Chief information security officers often ask me how they can show their company’s leaders how important cybersecurity is. And this SEC news is an outstanding proof point. It’s a great illustration of how cybersecurity incidents cost reputation and money. Plus, no one wants to get fined by the SEC. It’s just not a good look.

Before your next budgeting meeting, set up time to meet with your company leaders. Bring copies of recent SEC sanctions and a list of potential vulnerabilities in your own company. Start with sharing the SEC’s recent actions. Next, make the case for areas that could cause your company the same fate. Then tie it right back to your budget. Show how investments in cybersecurity can help prevent your organization from becoming the SEC’s next target.

You’ve known for years, if not decades, the importance of cybersecurity to your company. And while at first glance it appears the SEC news is bad for the industry, it’s actually the opposite. It’s even more proof that your company’s success and future depend on taking effective and proactive cybersecurity measures now.

More from Data Protection

Cybersecurity 101: What is Attack Surface Management?

There were over 4,100 publicly disclosed data breaches in 2022, exposing about 22 billion records. Criminals can use stolen data for identity theft, financial fraud or to launch ransomware attacks. While these threats loom large on the horizon, attack surface management (ASM) seeks to combat them. ASM is a cybersecurity approach that continuously monitors an organization’s IT infrastructure to identify and remediate potential points of attack. Here’s how it can give your organization an edge. Understanding Attack Surface Management Here…

Six Ways to Secure Your Organization on a Smaller Budget

My LinkedIn feed has been filled with connections announcing they have been laid off and are looking for work. While it seems that no industry has been spared from uncertainty, my feed suggests tech has been hit the hardest. Headlines confirm my anecdotal experience. Many companies must now protect their systems from more sophisticated threats with fewer resources — both human and technical. Cobalt’s 2022 The State of Pentesting Report found that 90% of short-staffed teams are struggling to monitor…

The Importance of Modern-Day Data Security Platforms

Data is the backbone of businesses and companies everywhere. Data can range from intellectual property to critical business plans to personal health information or even money itself. At the end of the day, businesses are looking to grow revenue, innovate, and operationalize but to do that, they must ensure that they leverage their data first because of how important and valuable it is to their organization. No matter the industry, the need to protect sensitive and personal data should be…

Meeting Today’s Complex Data Privacy Challenges

Pop quiz: Who is responsible for compliance and data privacy in an organization? Is it a) the security department, b) the IT department, c) the legal department, d) the compliance group or e) all of the above? If you answered "all of the above," you are well-versed in the complex world of compliance and data privacy! While compliance is a complex topic, the patchwork of regulations imposed by countries, regions, states and industries further compounds it. This complexity has turned…