Consumers have become wary of data breaches and the decreased safety of their personal information. However, the cost of a data breach is no longer only a matter of money and your company’s good name. There is now a third critical reason to pay attention: the U.S. Securities and Exchange Commission — more commonly referred to as the SEC.

The SEC has begun to take aim at the business practices that can lead to breaches. So, what does the SEC’s involvement mean for cybersecurity professionals?

Why Is the SEC Involved in Data Breach Response?

You might think about the SEC in terms of stocks and the stock market. But it has a three-part mission: protect investors, facilitate capital formation and maintain fair, orderly and efficient markets.

To protect investors, the SEC works to make sure consumers are not investing their hard-earned money in a company’s stock based on false or misleading information. That might mean looking into falsified earning reports, but it also goes much deeper.

The SEC aims for transparency. So, they require each business to disclose all types of risk that can affect the company’s earnings and, in the end, the stock price. This process increases the odds that an investor has access to all the information about a company’s financial health.

The possible risks encompass much more than fraud; they can include everything from supply chain issues to natural disasters. The purpose is to share anything and everything that could possibly affect the financial future of the company.

This leads us right to the answer about why the SEC cares about cybersecurity. When a company faces a cybersecurity attack or event, it affects its revenue. According to the IBM Cost of a Data Breach Report 2021, the average cost of a ransomware attack (the costliest type of breach) is $4.62 million. And the average cost of the least costly type of data breach (breaches in hybrid cloud environments) is still very expensive, at $3.61 million.

What This Means for Revenue

This means cybersecurity practices play a large part in a company’s revenue. Even minor breaches result in severe losses. Most consumers never consider cybersecurity when deciding where to invest their money.

Very few cybersecurity issues develop because of a single poor decision or mistake. Instead, there are multiple choices and factors that lead to the vulnerabilities that allow a breach to happen.

The issue concerns the SEC because when an organization faces a major incident, the price of that company’s stock almost always goes down. But consumers don’t have cybersecurity-related information when they purchase company stock. So, they are making those purchasing decisions without key information. That can make their investment much riskier than they realize.

Why now? It’s simple. The costs of breaches are going up, which means the risk to investors is increasing.

The IBM Cost of a Data Breach Report 2021 found the cost of a breach increased 10% between 2020 and 2021. As you might expect, the increased number of people working from home was a factor. Breaches involving remote work cost $1.07 million more than other breaches.

Reputation is a bit harder to quantify. But the fact that 38% of the cost of a breach comes from lost business is notable.

What Is the SEC Doing About Cybersecurity Risks and Incidents?

The SEC is leveraging fines to companies with poor cybersecurity practices more and more.

In July 2021, the SEC settled with Pearson Plc, a London-based public educational publishing company. Pearson agreed to pay $1 million in response to charges of misleading investors regarding a 2018 breach, which involved the theft of millions of student records, including dates of birth and email addresses. The SEC’s stance was that Pearson did not have good enough disclosure controls and procedures.

And Pearson isn’t the only case like this. In August 2021, the SEC announced actions against eight financial firms for failures in their cybersecurity procedures and policies. Each of the companies had email account takeovers that caused exposure of client personal information, and the settlements ranged between $200,000 and $300,000 for each company. Experts agree that these are likely just the beginning. They are a signal that the SEC is now focusing on the risks cybersecurity issues pose to investors.

How to Avoid SEC Fines After a Data Breach

Harvard Business Review’s article on this subject is right on the money. First, create a committee for disclosure to conduct quarterly surveys to uncover everything that needs to be disclosed.

Secondly, disclose early. In a past case, the SEC ruled that six months was too long. Companies should take action as soon as possible. Along those lines, HBR gave further guidance that companies should disclose they understand the full scope of the breach.

The final two suggestions — conduct forensic assessments and build visibility into your assets — provide practical advice. They can guide you to create a process that makes it easy to quickly and accurately disclose cybersecurity issues.

Let the SEC’s Data Breach Response Increase Your Cybersecurity Funding

Chief information security officers often ask me how they can show their company’s leaders how important cybersecurity is. And this SEC news is an outstanding proof point. It’s a great illustration of how cybersecurity incidents cost reputation and money. Plus, no one wants to get fined by the SEC. It’s just not a good look.

Before your next budgeting meeting, set up time to meet with your company leaders. Bring copies of recent SEC sanctions and a list of potential vulnerabilities in your own company. Start with sharing the SEC’s recent actions. Next, make the case for areas that could cause your company the same fate. Then tie it right back to your budget. Show how investments in cybersecurity can help prevent your organization from becoming the SEC’s next target.

You’ve known for years, if not decades, the importance of cybersecurity to your company. And while at first glance it appears the SEC news is bad for the industry, it’s actually the opposite. It’s even more proof that your company’s success and future depend on taking effective and proactive cybersecurity measures now.

More from Data Protection

Cost of a data breach 2023: Pharmaceutical industry impacts

3 min read - Data breaches are both commonplace and costly in the medical industry.  Two industry verticals that fall under the medical umbrella — healthcare and pharmaceuticals — sit at the top of the list of the highest average cost of a data breach, according to IBM’s Cost of a Data Breach Report 2023. The health industry’s place at the top spot of most costly data breaches is probably not a surprise. With its sensitive and valuable data assets, it is one of…

Cost of a data breach 2023: Financial industry impacts

3 min read - According to the IBM Cost of a Data Breach Report 2023, the global average cost of a data breach in 2023 was $4.45 million, 15% more than in 2020. In response, 51% of organizations plan to increase cybersecurity spending this year. For the financial industry, however, global statistics don’t tell the whole story. Finance firms lose approximately $5.9 million per data breach, 28% higher than the global average. In addition, evolving regulatory concerns play a role in how financial companies…

Advanced analytics can help detect insider threats rapidly

2 min read - While external cyber threats capture headlines, the rise of insider threats from within an organization is a growing concern. In 2023, the average cost of a data breach caused by an insider reached $4.90 million, 9.6% higher than the global average data breach cost of $4.45 million. To effectively combat this danger, integrating advanced analytics into data security software has become a critical and proactive defense strategy. Understanding insider threats Insider threats come from users who abuse authorized access to…

One simple way to cut ransomware recovery costs in half

4 min read - Whichever way you look at the data, it is considerably cheaper to use backups to recover from a ransomware attack than to pay the ransom. The median recovery cost for those that use backups is half the cost incurred by those that paid the ransom, according to a recent study. Similarly, the mean recovery cost is almost $1 million lower for those that used backups. Despite this fact, the use of backups is actually falling. This was one of the…