Consumers have become wary of data breaches and the decreased safety of their personal information. However, the cost of a data breach is no longer only a matter of money and your company’s good name. There is now a third critical reason to pay attention: the U.S. Securities and Exchange Commission — more commonly referred to as the SEC.
The SEC has begun to take aim at the business practices that can lead to breaches. So, what does the SEC’s involvement mean for cybersecurity professionals?
Why Is the SEC Involved in Data Breach Response?
You might think about the SEC in terms of stocks and the stock market. But it has a three-part mission: protect investors, facilitate capital formation and maintain fair, orderly and efficient markets.
To protect investors, the SEC works to make sure consumers are not investing their hard-earned money in a company’s stock based on false or misleading information. That might mean looking into falsified earning reports, but it also goes much deeper.
The SEC aims for transparency. So, they require each business to disclose all types of risk that can affect the company’s earnings and, in the end, the stock price. This process increases the odds that an investor has access to all the information about a company’s financial health.
The possible risks encompass much more than fraud; they can include everything from supply chain issues to natural disasters. The purpose is to share anything and everything that could possibly affect the financial future of the company.
This leads us right to the answer about why the SEC cares about cybersecurity. When a company faces a cybersecurity attack or event, it affects its revenue. According to the IBM Cost of a Data Breach Report 2021, the average cost of a ransomware attack (the costliest type of breach) is $4.62 million. And the average cost of the least costly type of data breach (breaches in hybrid cloud environments) is still very expensive, at $3.61 million.
What This Means for Revenue
This means cybersecurity practices play a large part in a company’s revenue. Even minor breaches result in severe losses. Most consumers never consider cybersecurity when deciding where to invest their money.
Very few cybersecurity issues develop because of a single poor decision or mistake. Instead, there are multiple choices and factors that lead to the vulnerabilities that allow a breach to happen.
The issue concerns the SEC because when an organization faces a major incident, the price of that company’s stock almost always goes down. But consumers don’t have cybersecurity-related information when they purchase company stock. So, they are making those purchasing decisions without key information. That can make their investment much riskier than they realize.
Why now? It’s simple. The costs of breaches are going up, which means the risk to investors is increasing.
The IBM Cost of a Data Breach Report 2021 found the cost of a breach increased 10% between 2020 and 2021. As you might expect, the increased number of people working from home was a factor. Breaches involving remote work cost $1.07 million more than other breaches.
Reputation is a bit harder to quantify. But the fact that 38% of the cost of a breach comes from lost business is notable.
What Is the SEC Doing About Cybersecurity Risks and Incidents?
The SEC is leveraging fines to companies with poor cybersecurity practices more and more.
In July 2021, the SEC settled with Pearson Plc, a London-based public educational publishing company. Pearson agreed to pay $1 million in response to charges of misleading investors regarding a 2018 breach, which involved the theft of millions of student records, including dates of birth and email addresses. The SEC’s stance was that Pearson did not have good enough disclosure controls and procedures.
And Pearson isn’t the only case like this. In August 2021, the SEC announced actions against eight financial firms for failures in their cybersecurity procedures and policies. Each of the companies had email account takeovers that caused exposure of client personal information, and the settlements ranged between $200,000 and $300,000 for each company. Experts agree that these are likely just the beginning. They are a signal that the SEC is now focusing on the risks cybersecurity issues pose to investors.
How to Avoid SEC Fines After a Data Breach
Harvard Business Review’s article on this subject is right on the money. First, create a committee for disclosure to conduct quarterly surveys to uncover everything that needs to be disclosed.
Secondly, disclose early. In a past case, the SEC ruled that six months was too long. Companies should take action as soon as possible. Along those lines, HBR gave further guidance that companies should disclose they understand the full scope of the breach.
The final two suggestions — conduct forensic assessments and build visibility into your assets — provide practical advice. They can guide you to create a process that makes it easy to quickly and accurately disclose cybersecurity issues.
Let the SEC’s Data Breach Response Increase Your Cybersecurity Funding
Chief information security officers often ask me how they can show their company’s leaders how important cybersecurity is. And this SEC news is an outstanding proof point. It’s a great illustration of how cybersecurity incidents cost reputation and money. Plus, no one wants to get fined by the SEC. It’s just not a good look.
Before your next budgeting meeting, set up time to meet with your company leaders. Bring copies of recent SEC sanctions and a list of potential vulnerabilities in your own company. Start with sharing the SEC’s recent actions. Next, make the case for areas that could cause your company the same fate. Then tie it right back to your budget. Show how investments in cybersecurity can help prevent your organization from becoming the SEC’s next target.
You’ve known for years, if not decades, the importance of cybersecurity to your company. And while at first glance it appears the SEC news is bad for the industry, it’s actually the opposite. It’s even more proof that your company’s success and future depend on taking effective and proactive cybersecurity measures now.