In February 2018, the Securities and Exchange Commission (SEC) published updated interpretive guidance on cybersecurity disclosure requirements for public companies.
Following significant post-breach reporting delays from SEC-regulated entities, including Yahoo and Equifax, the Commission clearly desires to standardize cyber disclosure practices surrounding impactful cyber events. As noted in the interpretation, “[T]he Commission believes that it is critical that public companies take all required actions to inform investors about material cybersecurity risks and incidents in a timely fashion.” The more interesting component of the SEC guidance, however, is the following: “Companies should consider the materiality of cybersecurity risks and incidents when preparing the disclosure that is required in registrations statements under the Securities Act of 1933 … and the Securities Exchange Act of 1934.” Here, the SEC is speaking to general ongoing risk factor identification as opposed to specific post-incident disclosures. The Commission believes that firms must identify and disclose possible risk events even if they haven’t suffered a breach. The Commission is pointing squarely at the Board of Directors and elevating cyber program management from the IT department to the highest levels of the corporation.
The Commission is increasingly focused on cyber risk as it pertains to disclosure requirements. The 2018 guidance addressed one of the criticisms of the original 2011 guidance – namely, that it lacked the teeth of enforceability – and statements by Chairman Clayton and others left little doubt that cyber disclosures were near the top of the SEC agenda. Perhaps it shouldn’t come as a surprise then, that on April 24th the SEC reported a $35 million agreement with Altaba (formerly Yahoo) for a multi-year delay in reporting a 2014 data breach.
This is the first enforcement action of its kind following the new SEC guidance. There is no doubt that a message is being sent to reporting companies with this action. As Jina Choi, Director of the SEC’s San Francisco Regional Office, commented, “Yahoo’s failure to have controls and procedures in place to assess its cyber-disclosure obligations ended up leaving its investors totally in the dark about a massive data breach. Public companies should have controls and procedures in place to properly evaluate cyber incidents and disclose material information to investors.” We suspect this will be the first of a number of similar actions, but stress that appropriate and comprehensive cyber disclosure practices are readily achievable.
Axio’s CEO, Scott Kannry, wrote about this just last October:
“Cybersecurity should be at the top of every upcoming executive and board of directors meeting. Rather it must be: the reality is that serious cyber events are inevitable, because technology is not failsafe, humans are fallible, and a host of other reasons in between. But the appropriate discussions and retrospectives on these events should not be entirely focused on patching every single vulnerability and demanding at all costs that ‘something similar must never happen to us’.”
– Scott Kannry, Axio CEO
What must board members understand about the new disclosure requirements? First, the good news – they are not technology based. This will not require board members to become tech experts in the latest cyber security technology. They are ‘risk-based’, which means that they require a more holistic approach, and that the current paradigm of assessments, technology controls, and compliance frameworks is clearly not enough to satisfy the SEC guidance. Maintaining accurate risk disclosures requires a dynamic cyber risk management program. In our view, the following four components of a cybersecurity risk management program allow companies to meet this hurdle, and Board members to confidently sign off on these disclosures.
4 Components of an Effective Cyber Risk Management Program:
- Quantify your exposure in financial terms.
- As the SEC notes , “The materiality of cybersecurity risks or incidents depends upon their nature, extent, and potential magnitude…[and] also depends on the range of harm that such incidents could cause.”
- Evaluate the caliber of your current cyber program within a maturity-based framework.
- This approach recognizes that cyber risk and maturity is dynamic and allows a company to evolve continually as the cyber landscape changes. Compliance standards can act as a floor, but they do not appear sufficient to meet the SEC guidance that “[w]here a company has become aware of a cybersecurity … risk that would be material to its investors, we would expect it to make appropriate disclosure timely and sufficiently prior to the offer and sale of securities.”
- Maintain adequate insurance and reserves to recover from a cyber incident.
- This goes hand in hand with required public disclosures, as firms utilizing this approach will naturally manage their financial risk to appropriate levels on an ongoing basis. Steps one and two inform the proper levels of financial defense on a dynamic basis.
- Benchmark your performance against your peers.
- Cyber risk management is ultimately in the public interest, and the ability to measure your current program against both an internal target state and your peers will be a significant input in determining whether a Board has met it’s duties with respect to cyber risk.
When these four key components of cyber risk management have been employed on an ongoing basis, a Board can confidently say to the public markets, “We know what our risk profile looks like, we have an updated analysis of our program maturity, our financial controls are adequate to survive a cyber incident, and our overall program is in the top 10% of our industry group.”
We applaud the SEC guidance and look forward to a world where Boards, executive teams, risk managers, and technologists embrace this comprehensive risk- and maturity-based approach to cyber program management.