What The SEC Has Signaled To Public Companies About Cybersecurity

US regulators seek speedy and systematic disclosure of cyberattacks


Historically, cyberattack consequences have ranged from reputation damage to strained partner relationships to heightened investments in IT and security. Increasingly, however, companies must also consider legal and regulatory consequences.

After an Uber breach exposed the personal information of 600,000 drivers, the Pennsylvania attorney general filed suit on behalf of the state's 13,500 affected drivers. The state requires companies to notify anyone affected by a breach within a certain period. The exact time frame isn't clear, but evidently Uber surpassed it. As a result, the company is being sued for $1,000 per affected driver, which could cost it $13.5 million in total.

Stricter regulations and larger penalties are issues all organizations should be cognizant of. In fact, a statement recently released by the U.S. Securities and Exchange Commission emphasizes the necessity for speedy and systematic disclosure, underscoring the obligation public companies have to protect the company and investors in response to cyberattacks. The recent insider trading case against an Equifax executive who sold nearly $1 million in shares before the company revealed the breach also helps to illustrate why proper controls are essential.

Thus, even companies that already do well at understanding their policies and processes for making disclosures will have to do better. Not only will these improvements reduce guesswork by mid-level managers and speed up disclosure, but they will also create a predefined process that extends all the way to the board level and results in timelier formal disclosures that benefit every stakeholder.

Understanding the Impact of the SEC Statement

Overall, the SEC's action elevates cybersecurity in public companies by raising awareness at the board level, which in turn raises it for management teams. In particular, this guidance requires boards to have their teams more thoughtfully consider three facets of cybersecurity: 1) the potential impact cyber events would have on the business; 2) the process for timely disclosure of those events; and 3) the appropriate content of the disclosure.

Many times, the loss inherent to a data breach disproportionately affects users. Breached companies' revenue and bottom lines may take hits, but their setbacks are often less significant than the impacts on the people whose data was released. Take the Equifax hack as an example: The individuals whose sensitive information was hacked suffered losses much greater than the company's.

Moreover, the time between an organization learning of a cyberattack and disclosing it is the window when hackers are monetizing the assets. The sooner the affected party (or parties) are aware of a data breach, the sooner they can move to protect themselves.

Ultimately, these facts support the trend that cybersecurity is a C-suite concern rather than an issue isolated to IT. Although this may be a new approach to cybersecurity for some firms, it's quickly evolving into the norm as cybersecurity transitions into a fundamental concern for organizations in all sectors.

The Importance of Implementing ISO 27001

With the financial consequences of attacks continuing to grow, leaders will need to open up communications from top to bottom in order to conduct ongoing cost-benefit analyses. Every project will need to be evaluated in the context of its attack vulnerability and potential attack cost.

Additionally, these discussions will lead to the adoption of policies and practices that strictly define how leaders react in the wake of a breach. With the SEC emphasizing disclosure, leaders at all levels must understand when, where, and how to notify attack victims. Following a detailed plan ensures that confusion and fear don't cause the response to exacerbate the situation after an attack.

As important as policies and practices are, though, they can't be implemented arbitrarily. One of the cardinal sins of cybersecurity is believing that your company is less at risk of (or is immune to) attack. Thus, a piecemeal approach to cybersecurity that underestimates threats and overlooks security gaps almost inevitably leads to an attack. That's why organizations should adopt international standards and industry best practices as outlined in the International Standard Organization (ISO) 27001.

This ISO specification outlines best practices on how to implement an information security management system. By taking a systematic approach, companies empower themselves to address all the relevant people, processes, and IT assets at any level — both before and after an attack. Businesses can also earn ISO 27001 certification and signal to both consumers and vendors that they abide by cybersecurity best practices. As regulators increasingly make cybersecurity a priority, onboarding and publicly providing verifiable levels of protection could instill greater confidence in an organization. This practice may even become mandatory one day.

In the event of a cyberattack, companies may delay their responses when waiting to get their information in order or to investigate what and who was affected, and these delays have become all too commonplace. Even without guidelines like the SEC's that stipulate why waiting is a problem, the cost of a cyberattack to both individuals and organizations supersedes the "benefits" of waiting. In the face of today's dynamic cyber landscape, the only way to minimize the impact of attacks is to implement policies and practices that help you react immediately and uniformly to any breach.


Read next:

Why Blockchain Hype Must End