In late February, the U.S. Security and Exchange Commission (SEC) issued new cybersecurity guidance in the form of an “interpretive release.” According to the SEC website, the Commission frequently provides guidance on federal securities laws and SEC regulations for business and investment communities. The release covered three main topics:
Disclosure of cybersecurity risks and incidents
Companies have been largely remiss in alerting the public to breaches that may directly impact them. Equifax took five months to reveal that the data of 145 million people had been compromised. Yahoo took years to disclose that every one of its user accounts had been compromised.
This release provides some additional clarity in terms of actions companies are required to take after a breach:
“Given the frequency, magnitude and cost of cybersecurity incidents, the Commission believes that it is critical that public companies take all required actions to inform investors about material cybersecurity risks and incidents in a timely fashion, including those companies that are subject to material cybersecurity risks but may not yet have been the target of a cyber-attack.”
A clear step in the right direction, this stresses the need to make material disclosures in annual and quarterly reports, as well as other management discussions and analyses of financial conditions. It’s a good start, but it still leaves room for interpretation: What exactly are “material cybersecurity risks” versus non-material, and how would that be clear before an actual security incident occurs? And what is a “timely fashion?”
According to the state of Pennsylvania, it’s certainly less than a year. On Monday, the state filed a lawsuit against peer-to-peer transportation network Uber for an alleged violation of its mandatory breach notification law which went into effect back in 2006. Uber waited more than a year to publically disclose a 2016 breach and could now be looking at civil penalties in the amount of $13.5 million.
Incident response plans
“Crucial to a public company’s ability to make any required disclosure of cybersecurity risks and incidents in the appropriate timeframe are disclosure controls and procedures that provide an appropriate method of discerning the impact that such matters may have on the company and its business, financial condition, and results of operations, as well as a protocol to determine the potential materiality of such risks and incidents.”
This means companies should have policies and procedures within their incident response plans that allow them to rapidly ascertain the impact of a breach upon its discovery.
Whether or not all the details are known, incidents—including both significant and lesser breaches—should be regularly reported to management so that materiality can be evaluated and disclosures made when necessary. An internal or external investigation cannot act as a basis for not disclosing material cybersecurity incidents.
Insider trading between breach discovery and disclosure
“Where a company has become aware of a cybersecurity incident or risk that would be material to its investors, we would expect it to make appropriate disclosure timely and sufficiently prior to the offer and sale of securities and to take steps to prevent directors and officers (and other corporate insiders who were aware of these matters) from trading its securities until investors have been appropriately informed about the incident or risk.”
Almost immediately after the Equifax breach was discovered, members of the senior management team reportedly executed large sales of company stock. I believe the matter remains under investigation.
This SEC clarification suggests that companies should restrict the sale of company shares by directors and officers during the time between the discovery of cybersecurity incidents and their public disclosure. Specifically, it states that companies should “consider whether and when it may be appropriate to implement restrictions on insider trading in their securities."
Overall, I find the SEC guidance helpful, and do believe it clarifies several points. But I would also have to agree with the two SEC commissioners that voted to approve the guidance, but simultaneously called for more action, especially when it comes to risk.
A word about risk transparency
The importance of disclosing risk is clearly underscored in this SEC release. But virtually every company doing business online--which is every company--is subject to cybersecurity risk. The risk that investors and the public need to be aware of is not that sharks exist in the water—we all know that—the risk is entering that water without the necessary protection to ensure assets remain safe.
It would be valuable for investors and customers to know when companies are not employing proven technologies to minimize those risks. For example, not utilizing two-factor authentication to reduce the risk of unauthorized access, or not using privileged access management (PAM) to limit access to the most critical information, even after hackers have gained access to the infrastructure.
The problem is obvious: any company that revealed they didn’t have the appropriate measures in place to face those risks would be an immediate target. And the SEC recognizes this.
The simple answer is for organizations to responsibly and effectively utilize technologies that minimize risk and the associated disclosure. We know that a majority of today’s cyber risks can be significantly diminished by the technologies that comprise Zero Trust Security.
Perhaps it’s time to call out those organizations that have achieved a designated level of Zero Trust and allow investors to make their decisions based on who is best protecting their interests.