SEC will now require US companies to disclose cybersecurity risks and breaches

An interpretive statement from the SEC requires that that breaches and other issues be disclosed in a timely manner.

What companies can learn from 2017's top tech scandals
Building a slide deck, pitch, or presentation? Here are the big takeaways:
  • A statement from the SEC revises cybersecurity disclosure rules that public companies face under US federal law. The requirements are far more robust than before and also include specific rules against insider trading.
  • While not actual law, SEC interpretive statements come from the Commissioners themselves and are indicative of how the government believes cybersecurity rules should be interpreted. Companies would do themselves a favor by becoming familiar with the new requirements.--TechRepublic

The Securities and Exchange Commission has published an update to a 2011 cybersecurity statement saying that publicly traded companies need to "take all required actions to inform investors about material cybersecurity risks and incidents in a timely fashion."

It's important to note that risks are included in the statement--the SEC wants companies to continually monitor themselves for security risks and notify shareholders of potential attack vectors and the potential for those vectors to be exploited.

Also worth mentioning is that the SEC's statement is an interpretation, meaning that it isn't legally binding. They are statements of how the SEC interprets existing law and are designed to serve as a guideline, so companies should do their best to comply: The interpretive statement may be the legal reasoning behind a case should the government catch wind of a violation.

How the SEC's statement affects your company

The most important element of the SEC's statement is that it only applies to public companies, that is, ones that have publicly traded shares. Private companies don't need to worry about conforming to the SEC's statement.

Public companies need to give the statement a thorough read and should consider implementing its suggestions and ensuring they conform to the rules.

First, and most importantly, is that the SEC is essentially extending its interpretation of older disclosure rules to cover cybersecurity. If you are familiar at all with SEC disclosure guidelines under Securities Act of 1933 and the Securities Exchange act of 1934 these new guidelines won't appear very different--the SEC even wants disclosures filed on the same forms.

As the original 2011 statement said, "although no existing disclosure requirement explicitly refers to cybersecurity risks and cyber incidents, companies nonetheless may be obligated to disclose such risks and incidents."

What this new interpretive statement does is reinforce and expand the 2011 original, along with adding an important section designed to crack down on insiders trading stock based on undisclosed knowledge of a cyber attack--something important to consider in the wake of stock dumping accusations surrounding the Equifax breach (of which executives were later cleared in an internal investigation).

What the SEC has to say on that particular front is clear: "directors, officers, and other corporate insiders must not trade a public company's securities while in possession of material nonpublic information, which may include knowledge regarding a significant cybersecurity incident experienced by the company."

In other words, disclose incidents immediately to prevent even the appearance of impropriety.

Particular passages to be aware of

Several particular requirements jump out on reading the interpretive statement, which seem largely to be designed to dispel uncertainty surrounding the SEC's addition of cybersecurity to its disclosure rules.

First, don't worry about disclosing intimate details of your cybersecurity infrastructure: The SEC doesn't want that. What it does want is disclosure of "cybersecurity risks and incidents that are material to investors, including the concomitant financial, legal, or reputational consequences."

The SEC also expects companies to "establish and maintain appropriate and effective disclosure controls and procedures that enable them to make accurate and timely disclosures of material events, including those related to cybersecurity."

Companies should plan to file periodic reports on cybersecurity risks and incidents, and those reports can't be from cookie cutter templates: The SEC wants them to be "contextually relevant."

SEE: IT leader's guide to big data security (Tech Pro Research)

Contextual relevance means that every potential detail of an incident is included, which could even extend to breaches that happened at suppliers, customers, competitors, or anyone else that could increase the risk to, or lead to an incident at, a company.

The reports filed, whether periodic or incident-specific, can't be construed as misleading, nor can anything contextual be omitted, which the SEC defines as being any fact that a reasonable investor would consider important information in making a decision.

Companies won't be able to hide behind investigations either: "[an investigation] would not on its own provide a basis for avoiding disclosures of a material cybersecurity incident." In other words, just tell everyone something happened and you're investigating it.

If all of that sounds confusing, there's one passage from the statement that sums up the entire approach the SEC has to publicly reporting incidents or risks: "If cybersecurity incidents or risks materially affect a company's products, services, relationships with customers or suppliers, or competitive conditions, the company must provide appropriate disclosure."

There's a lot to be found in the SEC's statement, and while not everyone thinks they go far enough they're the new guidelines of the land. IT leaders, and C-level executives, should do themselves a favor and become familiar with these new best practices.

Knowing them may be the difference between simple resolution of an incident and a court case.

Also see

Image: iStock/G0d4ather