This week, the Securities and Exchange Commission (SEC) published updated interpretive guidance on cybersecurity disclosure requirements for public companies.
Following significant post-breach reporting delays from SEC-regulated entities, including Yahoo and Equifax, the Commission clearly desires to standardize cyber disclosure practices surrounding impactful cyber events. As noted in the interpretation , “[T]he Commission believes that it is critical that public companies take all required actions to inform investors about material cybersecurity risks and incidents in a timely fashion.” The investing community and public at large should welcome this standardization as a step in the right direction for fair markets.
The more interesting component of the SEC guidance, however, is the following: “Companies should consider the materiality of cybersecurity risks and incidents when preparing the disclosure that is required in registrations statements under the Securities Act of 1933 … and the Securities Exchange Act of 1934.” Here, the SEC is speaking to general ongoing risk factor identification as opposed to specific post-incident disclosures. The Commission believes that firms must identify and disclose possible risk events even if they haven’t suffered a breach. This is a sea change in the regulatory view of cybersecurity. The SEC is pointing out that it’s no longer good enough to purchase technology controls and meet compliance mandates. By forcing companies to identify and publish their ongoing cyber risks, they are elevating cybersecurity to a risk-based duty of care model, requiring an understanding and articulation of best practices at the Board level. The Commission is pointing squarely at the Board of Directors and elevating cyber program management from the IT department to the highest levels of the corporation.
Axio’s CEO, Scott Kannry, wrote about this just last October: