"Today, cybersecurity is an emerging risk with which public issuers increasingly must contend. Investors want to know more about how issuers are managing those growing risks. A lot of issuers already provide cybersecurity disclosure to investors.”
-SEC Chair Gary Gensler
It is no secret that businesses face risks due to poor cybersecurity practices. In addition to compliance penalties, a breach by external adversaries, malicious insiders, or even negligent insiders can result in financial and reputational damage. The hidden costs of a security breach like loss of customer trust and decreased market value can be substantial as well. The fallout from breaches has always been viewed as affecting customer confidence and lowering market capitalization. Equifax lost over 30% of its market capitalization immediately following its breach and SolarWinds lost 40% of its market capitalization after its breach. The Harvard Business Review analyzed the multi-billion dollar negative impact of breaches in their article, The Devastating Business Impacts of a Cyber Breach.
Public companies are required by the U.S. Securities and Exchange Commission (SEC) to publish information on their business operations. In addition to annual and quarterly financial and business reports, public companies must also make disclosures through Current Reports (Form 8-K) when significant events or material changes occur that could affect an organization’s operations or financial conditions. Traditionally, this includes events such as acquisitions or dispositions of assets, changes in management or control, financial restatements, or legal proceedings.
In 2018, the SEC added cybersecurity risks to Form 8-K disclosures. Citing that “cybersecurity risks pose grave threats to investors, our capital markets, and our country”, it published interpretive guidance on public company cybersecurity disclosures. This includes a requirement to “inform investors about material cybersecurity risks and incidents in a timely fashion, including those companies that are subject to material cybersecurity risks but may not yet have been the target of a cyber-attack.”
Lately, enforcement is becoming more “personal.” Some studies show that employee terminations occur following 31% of breaches, including CEOs, CIOs, and CISOs. Perhaps most personal of all were the recent Wells Notices sent to several current and former SolarWinds executives regarding their 2020 breach, including their current CISO and CFO. A Wells notice is a notification letter issued by the SEC to inform individuals or entities that the SEC's staff intends to recommend enforcement action against them. Not against the company – against them as individuals for their actions (or lack of actions) following a breach. It is a significant step in the SEC's investigation process and provides the recipients an opportunity to respond and present their case before the SEC makes a final decision on whether to pursue enforcement actions.
The SEC believes that more detailed disclosure requirements are warranted to protect investors from cybersecurity risk. In 2022, the SEC proposed additional disclosure requirements for Form 8-K. This includes reporting within:
Additionally, the proposed rules will amend Forms 10-Q and 10-K to require registrants to provide information on the organization’s policies and procedures for identifying and managing cybersecurity risks, the role of management and the Board of Directors in overseeing these controls, and information about cybersecurity expertise at the board level.
IBM’s 2022 Cost of a Data Breach Report highlighted that the average cost of a data breach in the U.S. increased to $9.44 million, a cost too high for investors, shareholders, employees, and partners.
When finalized, the new reporting requirements will provide investors with a better understanding of the organization’s cybersecurity maturity and risk profile. This will allow them to make more informed investment decisions. The requirements (and the potential for additional Wells notices) will help move corporate management and boards to protect data and force them to be more forthcoming in their disclosures.
The release of the final rules has been postponed until October, indicating that some details are still being refined. Comments to the proposed rules include concerns about the four-day disclosure requirement. As written, the rules would require reporting via a Form 8-K ‘within four business days after the registrant determines that it has experienced a material cybersecurity incident.”
The proposed rules offer some guidance of incidents that “may” trigger the disclosure requirement. These include data loss incidents that
Another concern with the proposed rules’ disclosure requirements concerns investigations. As written, the rules require disclosure even if there is an active law enforcement investigation that could be compromised by the disclosure.
While the rules primarily target public companies, the guidance provided can be valuable for all organizations for reporting to their internal leadership team and board. These regulations aim to encourage organizations to enhance the timeliness and comprehensiveness of their cybersecurity disclosures. It is worth noting that although mid-sized, privately-held organizations are not subject to SEC disclosure requirements, they may still have obligations to report incidents to their publicly traded customers and partners.
The Reveal platform can help you and your cybersecurity team deliver timely and comprehensive reports. Our interface delivers a summary of insider and data movement risk trends including a summary of data and user activity. Out of the box and customizable reports deliver the insights you need to educate stakeholders on risk.
The final rules should be published in a few months, though the dates have already changed multiple times. Check back in to learn what transpires.