The current administration has made increasing cybersecurity transparency a priority due to the potential negative impact cyberthreats pose for national security.
The U.S. Securities and Exchange Commission classifies cyber vulnerabilities as an existential business risk. As a result, it has begun issuing fines to companies it deems to have inadequately disclosed cybersecurity threats. This shift in SEC policy underlines the seriousness of cyberattacks for businesses.
Why the SEC is Issuing Fines
The SEC requires businesses to disclose risk factors to the investing public. This protects investors from investing in company stock without having access to the information they need to make an informed decision about the level of risk. Risk factors include natural disasters, competitive threats, political events, economic conditions, trade wars, public-health issues and cybersecurity threats, such as Caller ID Spoofing.
Why the SEC Considers Cyberattacks a Risk Factor
Cybersecurity breaches can cause substantial damage to a company’s financial condition and lead to a drop in share price. Companies that fail to protect customer data can suffer a loss of reputation and face lawsuits from customers and shareholders. Additionally, cyberattacks may become a distraction to management, negatively impacting the operations of a business.
What Companies Can Do to Avoid SEC Fines
Corporate leadership should begin taking steps to ensure their company is compliant with SEC disclosure recommendations.
1. Form a Disclosure Committee
The disclosure committee should consist of directors and senior-level employees and an information security leader. The committee should conduct quarterly surveys to gauge awareness of anomalies in the operational, financial, legal and cybersecurity aspects of the business that need to be disclosed to the board of directors, external accountants, senior executives and the SEC. The work of this committee supports the certifications made by the CEO and CFO to the SEC whenever 10Qs and 10Ks are filed. Gathering this information helps to reduce the potential for disclosure-related liability.
2. Build Visibility into Company Assets
Take an inventory to identify company assets and how critical each asset is to business operations. Use vulnerability management tools to help assess the overall corporate and IT environment. This information helps your security teams prioritize issues based on which issues pose the highest level of business risk.
3. Don’t Wait Too Long to Disclose
Sometimes it takes weeks or even months to fully understand the scope of a cybersecurity incident. Don’t try to wait until everything is fully understood to disclose the breach. You can update the details, financial impacts and other consequences as you get more information. If a lawsuit or investigation results, who knew what and when they knew it may be important, so be sure to inform senior management and the board of directors as soon as a breach is discovered and document the disclosure. The time-limit to disclose varies by case. Whether the breach is material and what the applicable SEC 8-K regulations are play a role. When triggered, these regulations usually require disclosure within four days. You must also take into account any applicable state or federal laws and agreements with third parties.
4. Perform Regular Assessments of Your Cybersecurity Systems and Internal and External Threats
One of the aspects that makes cybersecurity so challenging is that technology and cyberthreats are always changing. It is a constant race between security professionals and cybercriminals to find or block new exploits that is made more difficult because new technology and software almost always gets released with security flaws. Regularly assessing your security systems and existing and potential threats is critical. Cybersecurity is not something you can just set and forget. You must continuously adjust your strategies.
The current administration has made increasing cybersecurity transparency a priority due to the potential negative impact cyberthreats pose for national security. Ransomware attacks that have shut down major industries and disrupted supply chains are likely to further motivate the SEC and lawmakers to make changes to require companies to be more vigilant and transparent in their cybersecurity practices. Companies can get ahead of this trend by adhering to cybersecurity best practices and making prompt disclosure of threats a priority.