On February 21st, the Securities and Exchange Commission (SEC) released new guidelines on cybersecurity disclosures. Companies listed on stock exchanges in the United States are instructed to disclose and report cyber security incidents, regardless of whether or not they suffered economic or data loss. In releasing these guidelines, the SEC cited legal requirements associated with cyber security, as well as the importance of putting policies and controls in place to ensure timely disclosure and preserve market transparency, while preventing any company associates from engaging in insider trading.
The New Guideline Explained
The previous SEC guideline dates from 2011, and some noteworthy changes have taken place in the SEC’s posture since then. In the old guidelines, disclosure of a cyber attack was only required if it led to an economic loss or somehow increased the risk of investing in the company. With the new guidelines, firms listed on the stock market should publicize cyber attacks regardless of whether or not the company was affected financially or in terms of its operating capacity. Recognizing that cyber security incidents can wreak havoc within a company, the SEC accepts that a certain amount of time may be required for companies to fully understand the scale and implications of security breaches, which may also involve investigative participation from law enforcement authorities, thus limiting the scope of disclosure. In their disclosure reports, companies should avoid including any specific technical information related to the functioning of systems, networks or devices that could be used by hackers as a “roadmap” in future cyber attacks. The main concern of the SEC is that investors receive the information they need to analyze the “financial, legal or reputational consequences” for themselves. To this end, the SEC states that losses and expenses related to cyber security should be reported on financial statements. This new posture from the SEC is in line with current regulations on many stock exchanges. For example, companies listed on the NYSE are required to “release quickly to the public any news or information which might reasonably be expected to materially affect the market for its securities.”
Opportunities and Threats
Cybersecurity is a subject of growing significance for companies and investors alike. According to a 2017 study by IBM Security and the Ponemon Institute, companies that suffer a material data breach have a 27.7% chance of seeing it happen again over the next two years, while the average organizational cost of a data breach was $3.62 million among the 419 companies surveyed in 13 countries. 47% of data breach incidents were caused by hackers, while 25% and 28% respectively resulted from employee negligence and system errors. The risks associated with cybersecurity breaches are well known and include increased operational costs, legal liability to clients and investors, insurance premiums and mandatory organizational changes, on top of the serious blow to brand reputation. Faced with the requirement of disclosing any breach, companies will continue to look for ways to bolster their network or program security infrastructure to avoid the negative press that worries investors and weakens their competitive position. This is likely to further boost the already booming cybersecurity job market. On the other hand, hackers could be inadvertently encouraged, knowing that their exploits are now more likely to gain publicity. In addition to the hacker menace, the new SEC guidelines also warn companies to be wary of insider threats in the form of insider trading. Employees, consultants or associates with knowledge of the unfortunate cybersecurity incident may feel tempted to short company stocks in the options market, given the odds that news of the breach will make for shaky investors. If someone associated with a company is caught in the act, the consequences of insider trading would be severe for employee and employer, compounding the negative publicity from the cybersecurity incident itself. To avoid this, the SEC recommends that companies, from the boardroom down, put policies and procedures in place that clearly instruct security personnel as well as management on the legal dangers of insider trading.