Your company took a hit. You had a cyber “incident” or perhaps a “breach” or maybe you had “financial exposure.” These are terms the Securities and Exchange Commission (SEC) uses in its latest guidance to public companies on being more forthright when they’ve experienced “material events” (as in the potentially compromising kind). This means reporting such events on forms 10-K and 10-Q and in SEC registration statements. It also means notifying investors about them. The SEC is also pushing forward the involvement of directors and officers in cybersecurity areas such as overseeing incident reporting controls and cybersecurity risks and ensuring that they are informed about incidents. Of course, in the face of the 2017 Equifax breach, the SEC’s guidance also establishes and clarifies expectations of enhancement to existing procedures that guard against these directors and officers trading on inside information about these types of incidents.
Harmonization versus blurred lines on terms, timing and thresholds
The SEC’s guidance adds to the patchwork of privacy and security regulatory expectations both in the U.S. and around the world, including 48 states’ regulations, the Health Insurance Portability and Accountability Act, the financial regulatory expectations of the Gramm-Leach-Bliley Act, the New York State Department of Financial Services (NYSDFS) cybersecurity regulation, the EU’s General Data Protection Regulation (GDPR) and beyond.
It’s not surprising that every time there is a new expectation around incident reporting I get calls from friends across industry asking:
Will the regulators harmonize their expectations?
Can regulators come together with one common definition of an incident?
What about a singular timeframe to report or one government agency to report to?
Wouldn’t it be helpful if there was one clear set of information needed in this reporting?
Having walked a mile in the regulators’ shoes and worked across financial institutions, I agree that we need to strive for regulatory alignment. Because a variety of regulators have essential missions supported by a variety of legal authorities, it is no wonder that there are differences across their expectations. Through its guidance, the SEC is doing what it can, under its authority, to push for additional security involvement by public companies’ senior officials and directors while also ensuring transparency to investors. The commission did not intend to conflict with the requirements of the NYSDFS, GDPR, Committee on Payments and Market Infrastructures, International Organization of Securities Commissions or others regarding the timing for notification. The SEC’s authority, however, extends to materiality thresholds and most incidents, upon investigation, will not rise to materiality.
Next stepsIn addition, companies must implement documented controls that expand on existing procedures for ensuring that officers, directors and others with inside knowledge of incidents are not able to trade their company’s stock until after the incident becomes public knowledge.
Public companies should immediately update their procedures regarding incident reporting. This includes clear, documented procedures on reporting to the SEC, investigating incidents, and escalating to officers and directors. Moreover, companies need to conduct real-world analysis through red-teaming and scenario analysis to understand and capture their business risk exposures. This will help them determine how to draw the lines of materiality when incidents arise. In addition, companies must implement documented controls that expand on existing procedures for ensuring that officers, directors and others with inside knowledge of incidents are not able to trade their company’s stock until after the incident become public knowledge.
Finally, shareholders should use this opportunity to learn more about how their investments are protected through the companies’ public reports on how they are managing the changing cybersecurity risk landscape.