A Look at the SEC’s Proposed New Cybersecurity Disclosure Rules

In March of this year, the Securities and Exchange Commission (SEC) proposed new cybersecurity disclosure rules that, if approved, will significantly impact how public companies report on material cybersecurity incidents, as well as risk management, strategy and governance. 

There are a variety of different amendments outlined in the SEC’s 35-page Federal Register on the proposal, but, for the sake of simplicity, here’s the thousand foot view: public companies would need to disclose information about a material cybersecurity incident within four business days, as well as provide periodic disclosures on:

• Previously disclosed cybersecurity incidents, whenever material changes, additions or updates occur.
• The company’s risk management, strategy and governance, including outlining risk assessment programs, board oversight of cybersecurity risk management, and management’s expertise and role in assessing risk and implementing cybersecurity policies, procedures and strategies.
• Cybersecurity expertise of members of the board of directors.

Growing Cybersecurity Risks

Why is the SEC taking steps to mandate cybersecurity disclosure now? The SEC has recognized that risks are growing as cyberattacks become increasingly sophisticated and prevalent. The potential damage and costs to a public company stemming from an incident can be extensive and negatively impact both short-term and long-term shareholder value. 

There’s no shortage of examples in the news that highlight the problem. Recently, Uber announced a breach after a hacker gained control of its internal systems, and the following day its stock price dropped 5%.

Uber isn’t alone when it comes to suffering from a data breach—far from it. Research reveals that more than 60% of the Fortune 1000 had at least one public data breach over the past decade, with estimates showing that one in four Fortune 1000 firms will suffer a cyber loss event on an annual basis.

Harvard Business Review does a nice job describing the detrimental impact a cybersecurity incident can have on a public company:

“In the wake of the Capital One hack, which was publicly reported in July 2019, the company’s stock price dropped nearly 6% immediately in after-hours trading, losing a total of 13.89% over two weeks. Likewise, following the announcement of the Equifax breach back in early September of 2017, the company saw a similar negative reaction from the stock market with its stock price plunging from $142.72 to $92.98 in just one week. What is worse, its market share dropped significantly in 2017 and has struggled to recover ever since.”

Opposing Views

Given the growing risks, the SEC is calling for greater transparency and timely reporting, so investors and other market participants can make more informed decisions. The SEC cites other benefits, such as positive effects on market efficiency and competition, and the impact that improved cybersecurity programs would have on reducing the likelihood of future incidents.

However, the proposed rules are raising questions and concerns. The main concern is that the new rules could undermine the nation’s cybersecurity efforts. For example, putting pressure on public companies to meet the four-day material incident disclosure deadline even if they haven’t had a chance to fully remediate the breach.

A recent article in Protocol provides a good overview, citing industry groups, including the Information Technology Security Council and Internet Security Alliance, that feel the four-day requirement could end up exposing companies to further harm by threat actors. According to a letter to the SEC from a coalition of industry associations, “by forcing companies to disclose incident information prior to the mitigation of vulnerabilities. Detailed public disclosures could give cybercriminals and state-backed hackers a trove of data to further victimize companies, harm law enforcement investigations, and disrupt public-private responses to cyberattacks.”

These concerns could pose a serious problem to public companies if not addressed by the SEC in the final rule, which is expected next year.

Don’t Delay in Preparing

Regardless of where you stand on the issue, the SEC’s proposal brings to light the importance of a strong cybersecurity and risk management program, including prioritizing security policies and procedures, ensuring program governance and getting leadership more involved in risk management. Whether or not you are a public company, these components are table stakes.

To learn more about the proposed rules and get advice on what you can do to start to prepare, download Navisite’s brief: SEC’s Proposed Cybersecurity Disclosure Rules for Public Companies.

Bottom line: there is no time like the present to evaluate the state of your security and identify areas you can improve to mitigate risk and protect against evolving threats. If you have questions or need help with your security program, Navisite can support you with a range of Security Services, including an initial security assessment of your environment. We also offer vCISO services that provide on-demand guidance, expertise and ongoing governance. Don’t hesitate to contact us today to learn more.