- Last year, the SEC mandated that public companies disclose material cybersecurity incidents.
- Cybersecurity experts explained the rule, which can be confusing for company executives.
Investors consider cyberattacks one of the biggest threats to business. The incidents can cost companies millions of dollars, damage their reputations, diminish trust with investors, and affect their share prices.
Though cyberattacks are occurring more frequently, investors don't always understand their scope or how to factor them into their investing strategies, said Hugh Thompson, the executive chairman of the RSA Conference, a global cybersecurity gathering.
To ensure investors have access to timely, relevant information about cybersecurity events, the US Securities and Exchange Commission last year adopted rules requiring public companies to disclose details about "material cybersecurity incidents," or those likely to affect a company's operations, finances, legal obligations, or reputation.
"These types of cybersecurity incidents have a real impact, potentially, on shareholder value," Kate Dedenbach, a privacy and cyber attorney at Fisher Phillips in Detroit, told Business Insider. "The SEC's goal is to provide investors with more robust and timely information about cybersecurity incidents so they can make more knowledgeable investment decisions."
Thompson said that while the regulations were well meaning, they'd been confusing to chief information-security officers and others tasked with assessing cyber incidents. He said this was a common concern among attendees at the RSA Conference in May.
In January, Microsoft disclosed a cyberattack on its senior executives' email accounts and said hackers were able to access the company's network. That month, the mortgage lender LoanDepot also disclosed an attack in which hackers took control of company data. But a Forbes report suggested the companies didn't include all the SEC-required information, such as a description of the attack's material impact.
Here's what leaders of public companies should know about the regulations.
The final rule builds on previous guidance
In 2011 and 2018, the SEC issued guidance for public companies to disclose cybersecurity risks and incidents. But the agency said disclosures were inconsistent.
"This made it difficult for investors to quickly locate information about risks," said Lei Zhou, a research scholar at the University of Maryland's business school who coauthored research that the SEC cited in the final rule.
She said the 2023 final rule standardized the process for disclosing information and made disclosures a "binding requirement."
"When a company can choose not to report or choose to report, the investor can't fully understand what's going on with a company," Zhou said.
Still, organizations' reports will differ. She said investors could use differences in companies' disclosures to help make investment decisions.
The first step is determining materiality
Public companies are required to disclose any "material cybersecurity incident," or something likely to affect their financial condition or operations. This can include the release of customers' personal information or internal communications or the shutting down of a company's systems.
"The thought process is 'Would a reasonable investor consider this important when making their investment decision?'" Dedenbach said. "That's what determines whether it's material."
She said the concept of materiality is well known in SEC reporting regulations but acknowledged that it might be new to CISOs.
"We have a lot of experience and standards around understanding business risk," said Steve Winterfeld, the advisory CISO of Akamai Technologies, a cloud computing, security, and content-delivery company. "What we don't know is if you lose a customer database, what is the risk to the investor?"
He said CISOs are now tasked with working with legal and financial teams to define materiality for their organization and then determine whether a cyberattack meets those criteria.
Zhou said that determining materiality could be challenging, as some elements, like reputational damage, may take time to quantify. Ultimately it's up to companies to decide what affects their operations and business profile.
There's a timeframe for disclosures
The SEC says that determining a cybersecurity incident's materiality should be done "without reasonable delay" but doesn't specify a timeframe. Once materiality is determined, organizations must report the incident within four business days, including its nature, timing, and scope as well as its material impact on the business.
"The best course of action is to start a timeline when an event happens," Dedenbach said, "so you can make a defensible position about when you determine materiality."
Winterfeld said cyberattacks often develop over several days or weeks and can take several weeks to investigate. But Zhou said the SEC was relying on companies using their best judgment to comply in good faith and find "a balance between having an accurate disclosure and a timely disclosure."
The SEC says companies can delay disclosure if a cybersecurity incident poses a substantial risk to national security or public safety.
The final rule also requires companies to submit an annual disclosure about cybersecurity risk management, strategy, and governance, such as whether members of their boards have cybersecurity expertise.
Create a plan to streamline compliance
Thompson suggested developing a plan for assessing cyber incidents and determining their materiality. Winterfield said such a plan should outline who should do what, define materiality for the company, and involve core stakeholders, including security, information, and legal teams.
Zhou said extensive documentation is vital in case the SEC later asks for more explanation or details. The SEC hasn't specified the penalties for noncompliance.
Zhou added that as companies disclose their material cyber incidents, the SEC is likely to issue more guidance and clarification, and the regulations are likely to evolve.
But she said the final rule was a step in the right direction to help enhance cybersecurity and minimize attacks. Dedenbach predicted it would increase investments in technology and demand for people with cybersecurity and technology expertise.
"The investors are watching," Zhou said, "and the SEC is watching closely."