The U.S. Securities and Exchange Commission (SEC) recently released updated guidance on cybersecurity disclosure for public companies, prompted by companies' increased reliance on IT systems and the rise in the number of cybersecurity incidents — as well as their magnitude and costs. The updated SEC guidance calls for companies to take required actions to communicate material cybersecurity risks and incidents promptly. The new SEC guidance is effective as of Feb. 26, 2018. How does this impact your company? Does your current cybersecurity control framework support the ability to make accurate and timely disclosures required by the new guidance?
Points of focus
The SEC released this updated guidance to stress the importance of maintaining comprehensive policies and procedures related to cybersecurity risks and incidents. In addition to accurate and timely disclosures of material cybersecurity events, companies will need to implement controls to ensure material disclosures are made public in a timely fashion and to reduce the risk of directors and officers trading its securities after an incident is identified but before public disclosure.
Materiality is king
Materiality should always be the number one consideration when reviewing a cybersecurity incident for disclosure requirements. Companies should weigh the potential materiality of any identified risk, of any compromised information, and of the impact of the incident on the company’s operations. The company should also take into consideration the outward harm to the company’s reputation, brand, financial performance, and customer trust as well as the possibility of any litigation or investigations.
The SEC expects companies to review all cybersecurity risks and incidents and disclose those aspects that have a material impact to investors.
What is not in a disclosure?
The SEC wants companies to understand that the intent of these disclosure requirements is not to give away the keys to the castle. It doesn't expect companies to make detailed disclosures that would be counterintuitive to the cybersecurity controls implemented. Specific technical information about network set-up and infrastructure, or potential vulnerabilities, would not be expected in a cybersecurity incident disclosure.
Prevent, detect, respond, recover
You don’t know what you don’t know. This sentiment rings true in incident disclosures. You cannot properly disclose an incident if you're unaware it occurred. Companies should focus their controls on incident prevention and detection followed by proper incident response and recovery procedures.
No longer an IT problem
Historically, security issues have fallen under the purview of the IT department. This is no longer the case in the eyes of the SEC. The SEC’s cybersecurity disclosure guidance now makes it very clear that companies’ board of directors, not the IT department, is responsible for the proper disclosure of cybersecurity incidents. The newly released guidance emphasizes that a breached company must disclose the extent of its board's role in the risk oversight of the company.
Historically, security issues have fallen under the purview of the IT department. This is no longer true in the eyes of the SEC.
This guidance will force the board to engage with the C-suite, especially the chief information security officer, and ensure cybersecurity risks are integrated into the overall enterprise risk management framework.
Consider taking the following actions to ensure your company is, and remains, in compliance:
- Conduct a risk assessment to evaluate all cybersecurity risks and ensure processes are in place for disclosing risks appropriately.
- Review all past incidents and evaluate if a new or updated disclosure is necessary.
- Evaluate your company's incident response policies and procedures to ensure they appropriately address the updated guidance.
- Ensure all appropriate personnel are updated and trained on the new responsibilities required.
With the new guidance already in effect, it's important to assess your current state and begin addressing any issues that could leave that could leave your company vulnerable to noncompliance.
As always, if you have any questions, feel free to give us a call.