SEC Ratcheting Up Cybersecurity Requirements

The U.S. Securities and Exchange Commission (SEC) is poised to issue a new, tougher rule on how companies handle and report cyberattacks and internal controls against them. The move, which reflects one of the commission’s top priorities, is just one of several regulatory, enforcement and legislative initiatives that are converging to give investors more transparency about companies’ cybersecurity risks.

“The SEC has signaled that it has started taking cyber vulnerabilities much more seriously than it has in the past,” according to a recent article in the Harvard Business Review (HBR).[1] Companies are being advised to re-examine their cybersecurity risk management plans and strengthen their policies and procedures for reporting cyber issues to their senior management, boards of directors and the SEC. 

Look Out for New SEC Cybersecurity Rule

The commission has promised new cybersecurity requirements,[2] which Washington observers say could take the following form:

• A mandatory rule instead of the current SEC guidelines on cybersecurity.[3]
• A bigger emphasis on the cybersecurity responsibilities of companies’ boards.
• A call for more detailed reporting.

The SEC has been ramping up its cybersecurity regulation since issuing its first guidelines in 2011 and updating them in 2018.[4] The new rule would build on the 2018 guidelines, which recommend disclosures including:

• Cybersecurity protections: Are they adequate? What is the cost? What is the residual risk?
• Incidents: How many prior cybersecurity incidents has the company experienced, and how severe? What’s the probability of future incidents?
• Business risk: What would be the operational costs and consequences of an attack? Any potential reputational harm?
• Legal risk: Would the company face regulatory penalties or civil lawsuits?
• Governance: How involved is the board of directors and senior management in cybersecurity?

Under the 2018 guidelines, comprehensive company policies and procedures should ensure timely internal reporting to company leadership and external disclosure to the SEC of significant cybersecurity risks and incidents. In addition, specific disclosure controls and procedures should be in place, company directors and officers need to be on top of the situation and insider trading on cybersecurity information should be blocked.

Many companies have been enhancing their cybersecurity disclosures under these guidelines, but only modestly, EY reported last year.[5] Another report from a separate group of companies and industry associations said that, “Too often, cyber-related disclosure language is boilerplate in a way that could not assist an investor in assessing a company’s cyber-risk profile or management of those risks.”[6]  

As an example, the latter report cited an annual report to the SEC stating that, “We have in the past been subject to cyberattacks and expect that we will be subject to additional cyberattacks in the future and may experience data breaches.” 

Where current SEC guidelines say what should be done, the new rule could update and mandate what companies must do — or face fines and other penalties. Just as the current guidelines have applied to every company publicly traded in the U.S., the new rule could also be broadly applicable. “In a digitally connected world, cybersecurity presents ongoing risks and threats to our capital markets and to companies operating in all industries,” the SEC noted in 2018.[7]

SEC Begins Issuing Fines for Cybersecurity Lapses

Even before issuing a mandatory cybersecurity rule, the SEC recently began enforcing cybersecurity requirements by applying its general rules for disclosing risk.

For example, the SEC issued a cease-and-desist order against a real-estate settlement services company in June, along with a $500,000 fine. One of the company’s applications had exposed more than 800 million images over several years, some of which included sensitive personal data, but “as a result of deficient disclosure controls, senior management was completely unaware of this vulnerability and the company’s failure to remediate it,” the SEC said.[8]

In another case in August, an educational publisher agreed to pay $1 million after the SEC found that it had misled investors about a 2018 theft of student data from 13,000 school districts.[9] Specifically, in a semi-annual SEC report, the company had referred to the breach — which had already occurred — as “a hypothetical risk,” the SEC said. The company also told the media that it had solid protections in place, though the breach in question resulted from a long-unpatched vulnerability. And like the June case above, the SEC cited a failure by managers to report up the corporate ladder.

Also in August, eight investment firms settled SEC charges for failures in cybersecurity policies and procedures that resulted in email account takeovers, exposing customers’ personal information.[10] Most of the firms failed to follow their own stated security policies to protect the data, the SEC said in assessing fines of $200,000 to $300,000.

“These fines signal a major shift, and one that could profoundly change the way companies think about cybersecurity threats, communicate internally about these threats, and disclose breaches,” the HBR article concluded.

Additionally, the SEC has launched a “confidential fact-finding investigation” into a 2020 attack of a networking software company that infected about 18,000 of its business customers. Among its questions: whether the customers disclosed the incident in SEC filings.[11]  

Legislation Proposes Board Cybersecurity Mandate

In Congress, meanwhile, a bill has been introduced to mandate that companies disclose whether they have a cybersecurity expert on their boards. While the Cybersecurity Disclosure Act focuses on the SEC’s jurisdiction, several other bills and executive directives are targeting companies’ responsibilities to protect against and report cybersecurity incidents to other agencies, such as the Cybersecurity and Infrastructure Security Agency (CISA).

Preparing for New SEC Cybersecurity Focus

What do companies need to do at this point? 

“The first step is doing a comprehensive heat map of the company’s entire cybersecurity program to address any weaknesses in technology, people and processes,” said Mimecast Product Marketing Director Garth Landers. “Then as events unfold, there has to be a constant chain of elevation and transparency internally that leads to external reporting. This becomes like the quarterly financial reporting process; it never ends.”

The HBR article and legal experts[12] suggest tactics including:

• Implement and document cybersecurity best practices.
• Build visibility into IT assets.
• Implement and test incident detection and response procedures.
• Periodically review and update the company’s cybersecurity program.
• Conduct regular assessments of cybersecurity systems and threats.
• Assign clear responsibilities and internal reporting procedures.
• Create a disclosure committee of directors and senior management, including security executives.
• Be prepared to disclose cybersecurity issues even before they are fully investigated and analyzed.

“Obviously, identifying potential problems and fixing them comes with the everyday job if you’re in IT and cybersecurity,” Landers said. “But often we need a rallying event like this elevated SEC scrutiny to do a comprehensive checkup and evaluation.”

What’s at Stake

The SEC has pointed to the significant costs companies face after a breach. Among them:

• Loss of revenue and customer relationships.
• Claims for breach of contract.
• Threat to future cash flows.
• Impairment of intellectual property.
• Increased financing costs.
• Higher insurance premiums.
• Investigation expenses.
• Compliance costs for breach notification, remediation, fines and litigation.

Estimates of the risk and cost of a data breach vary, but research firm Cyentia Institute recently reported that a Fortune 1000 company has a 6% chance of losing $100 million or more in a 12-month period because of a cyber incident.[13] Typical financial losses following a successful cyberattack can run about $200,000, the group said.

The Bottom Line

The SEC wants companies to be more transparent with investors about their cybersecurity risks, controls and incidents. The commission is expected to issue a new rule soon, which could require companies to update their cybersecurity programs and reporting procedures.
 

[1] “The SEC Is Serious About Cybersecurity. Is Your Company?,” Harvard Business Review

[2] “Testimony Before the United States Senate Committee on Banking, Housing and Urban Affairs,” U.S. Securities and Exchange Commission

[3] “SEC to ‘Dig Deeper’ in Cybersecurity Enforcement,” CFO Dive

[4] “Commission Statement and Guidance on Public Company Cybersecurity Disclosures,” U.S. Securities and Exchange Commission

[5] “What Companies Are Disclosing About Cybersecurity Risk and Oversight,” EY

[6] “The State of Cyber-Risk Disclosures of Public Companies,” Security Scorecard et al

[7] “Commission Statement and Guidance on Public Company Cybersecurity Disclosures,” U.S. Securities and Exchange Commission

[8] “SEC Charges Issuer with Cybersecurity Disclosure Control Failures,” U.S. Securities and Exchange Commission

[9] “SEC Charges Pearson plc for Misleading Investors About Cyber Breach,” U.S. Securities and Exchange Commission

[10] “SEC Announces Three Actions Charging Deficient Cybersecurity Procedures,” U.S. Securities and Exchange Commission

[11] “In the Matter of Certain Cybersecurity-Related Events,” U.S. Securities and Exchange Commission

[12] “SEC Makes Cybersecurity Top Priority,” JD Supra

[13] “Cyentia Institute Publishes Groundbreaking Research on the Frequency and Cost of Breaches,” Cyentia