“Today, the importance of data management and technology to business is analogous to the importance of electricity and other forms of power in the past century.” — SEC Commission Statement and Guidance on Public Company Cybersecurity Disclosures
On Feb. 21, 2018, the U.S. Securities and Exchange Commission (SEC) released updated guidance on cybersecurity disclosure for public companies. The agency updated the document’s previous language, which was released in 2011, regarding cyber risks and their impact on investment decisions.
SEC Sets New Standards for Cybersecurity Disclosure
In a press release announcing the update, SEC Chairman Jay Clayton shared his aim to ensure that companies provide “more complete information” to investors about cyber risks and incidents. He also urged companies to “examine their controls and procedures, with not only their securities law disclosure obligations in mind, but also reputational considerations around sales of securities by executives.” Specifically, the SEC guidance cautioned companies to “avoid the appearance of improper trading during the period following an incident and prior to the dissemination of disclosure.” It also pointed to Regulation FD, which covers disclosures to outside entities such as brokers and dealers, investment advisers and others who might reasonably be expected to trade based on privileged information.
However, the main focus of the updated SEC guidance is the need for board directors and company executives to review their controls and procedures to ensure that their cybersecurity disclosure responsibilities are properly discharged. Pointing to the increasing frequency, magnitude and cost of cyber incidents, the document stated that public companies should “take all required actions to inform investors about material cybersecurity risks and incidents in a timely fashion, including those companies that are subject to material cybersecurity risks but may not yet have been the target of a cyberattack.”
In addition, the SEC guidance made it clear that if investors are kept in the dark about security incidents, not only should companies expect class action suits, but they’ll have the SEC on their backs as well. In the agency’s words, the SEC “continues to monitor cybersecurity disclosures carefully.”
Impact for Board Directors: Focus on Disclosure
The SEC document noted that the responsibility for clear and expedient disclosure falls squarely on the shoulders of board directors. The board is responsible for ensuring that the organization has appropriate disclosure controls and procedures “to make accurate and timely disclosures of material events.” This helps investors grasp the impact of a cyber incident on the organization and its business, finances, operations and, of course, liability.
The issue of disclosure is further complicated by the need to detect an incident, properly handle the company’s response, recover operations and ensure that all stakeholders are properly notified, from the incident response team all the way to the board. Furthermore, the document stated that the ongoing status of an investigation does not exempt organizations from having to disclose a material security incident. The commission also advised organizations to provide specific information that is meaningful to investors in incident reports.
Impact for Board Directors: Oversight of Cyber Risks
The guidance explained that threat actors have different motives, from financial gain to hacktivism, and that security incidents can also happen due to malicious or negligent insiders. In addition, the consequences of cyberattacks can take many forms, from lost business to reputational damage, strained relationships with suppliers and clients, fines, lawsuits and more.
The SEC emphasized that a breached organization must “disclose the extent of its board of directors’ role in the risk oversight of the company, such as how the board administers its oversight function and the effect this has on the board’s leadership structure.” With this language, it would be extremely difficult for board directors to avoid their responsibility to engage with the C-suite to ensure that cyber risks are managed effectively. In other words, the days of putting your head in the sand are finally over, although most organizations have already phased out this approach.
This can be an opportune time for boards to increase their engagement regarding cyber risks, starting with a review of where the chief information security officer (CISO) sits on the organizational chart and how well cyber risks are integrated into a larger enterprise risk management (ERM) framework. Boards should also review their organization’s three lines of defense and, if need be, get a second opinion from an external source about the effectiveness of the cyber risk management program.
Impact for CISOs: Collaboration and Communication
Like directors are in the crosshairs of the SEC, so too will CISOs be in the crosshairs of board directors. Security leaders need to step up and provide mechanisms to discern the impact and “potential materiality” of cyber risks.
For some CISOs, this will require increased collaboration and cooperation with chief risk officers (CROs) to determine more accurate, timely and objective ways to evaluate and communicate cyber risks. It will also invite increased scrutiny of the organization’s risk management program, both by the C-suite and the board. CISOs should aim to simplify their dashboard, create that elusive single pane of glass and ensure that their communications with board directors are clear and effective.
In other words, when it comes to reporting on cyber risks, CISOs should review the accuracy and timeliness of their reports and ensure that the communications are:
Appropriate and relevant to their audience;
Grounded in a business mindset;
Based on quality data; and
Transparent about weak or unverified data.
The last point is specifically mentioned in the SEC guidance, which noted that any untrue or misleading disclosures need to be corrected quickly at the next possible iteration.
Overall, the updated SEC guidance set the bar a little higher and provided clear reminders — or, when needed, warnings — about the responsibilities of management and the board regarding cybersecurity disclosure.