Since 2011, when the U.S. Securities and Exchange Commission (SEC) first took up the topic of disclosure of cybersecurity risks and incidents by public companies, the cyber threat landscape has only grown more complex and daunting. So much so that the SEC felt compelled to provide additional clarity so that companies better understand their disclosure obligations and the risks of not placing the proper attention on cybersecurity. Where the previous guidance broadly emphasized obligations for disclosing confirmed or suspected data breaches, this new guidance emphasizes cybersecurity controls and governance.
The language in the latest SEC guidance reflects increasing risk of cybercrime to shareholder value. While the 2011 guidance noted “more frequent and severe cyber incidents,” the 2018 guidance begins with an ominous warning: “Cybersecurity risks pose grave threats to investors, our capital markets, and our country.” With that, the SEC advises that “public companies take all the required actions to inform investors about material cybersecurity risks and incidents in a timely fashion, including those companies that are subject to material cybersecurity risks but not yet have been the target of a cyberattack.[i]” This advice is important because the SEC is recognizing that there are only two types of publicly-traded companies: those that have been breached, and those that don’t know that they have been breached.
The SEC is also recognizing that the size of the damage of cyber breaches is growing larger and larger to the point of impacting potentially the market capitalization of companies. For example Equifax is now facing hundreds of class-action lawsuits which continues to put significant downward pressure on its stock price. For this reason, cyber risks must now be disclosed because of the potential material impact to the business so that investors can evaluate those risks in the context of their investment decisions.
Expect now to increasingly see “Cyber Risks” added to the list of typical risks, such as financial, supplier, competitive as part of the Management Discussion and Analysis sections in 10Ks and other public filings. The SEC goes even further in its guidance and offers some qualifications around what should be included in that discussion.
The SEC is also indicating that because cyber threats pose potential material impact to publicly-traded companies, there needs to be more rigorous executive and board-level understanding of these matters. Strikingly, the SEC has identified new levels of required control and governance for corporate boards. Companies must disclose how its board administers its risk oversight function, and to the extent that cybersecurity risks are material, the discussion “should include the nature of the board’s role in overseeing the management of that risk.”
The board, under the new SEC guidelines, has the responsibility for timely and accurate disclosure of such risks and companies must disclose the board’s role in the risk oversight of the company. Ultimately companies can no longer avoid addressing cyber risks because the board is being held accountable.
The details of the new guidance means that companies must be in a position to constantly understand their risk profile and be able to communicate changes to that profile on an ongoing and consistent basis. Companies need to change the way they think and talk about security.
CISOs need to have an ongoing 360-degree view of their company’s security posture that includes an outside-in and inside-out assessment that evaluates current preventative measures that are in place while exposing gaps, weakness and associated risks. The new guidance requires a common language for evaluating and communications cyber risk. Using such a framework, companies can more effectively share information about their risks and can use that data to establish triggers for public disclosure.
Click here to learn how the new Verizon Risk Report can help you understand your risk profile to better address the new SEC guidance.
John Loveland leads cybersecurity strategy and marketing for Verizon Enterprise Services. He is a seasoned technology industry executive and entrepreneur with 20+ years' experience in leadership positions with public, private and start-up companies. A pioneer in the information risk management disciplines, John has founded companies and built practices in the areas of cyber risk, electronic discovery, regulatory compliance, data privacy, and enterprise information governance.
[i] Emphasis added.