SMBs don’t often find themselves in the sights of the SEC. Times are changing, however, because of the enormous focus put on cybersecurity, especially breach disclosures.
It used to be that larger companies could bury breaches in their financial documentation. But because of the risks discussed later, this loophole was addressed.
We want to give you a quick synopsis of the findings, rules, and how they might impact your business.
What’s the New Regulation?
With massive data breaches occurring seemingly daily, the importance of cybersecurity is on everyone’s mind. Both President Obama (in 2016) and President Trump (in 2017) issued releases about the need to address cybersecurity risk directly.
For businesses, the SEC rules since 2011 requiring you to disclose cybersecurity breaches have been a little vague. The regulators encouraged prompt disclosures from businesses but did not provide thorough guidance on processes and procedures for doing so.
Without clear direction, many businesses were guessing on how to properly address many of these issues. The SEC, in its February 2018 release of the Commission Statement and Guidance on Public Company Cybersecurity Disclosures, outlines a new approach to help businesses combat the cybersecurity risks “that pose grave threats to investors, our capital markets, and our country.”
“Companies must provide timely and ongoing information in these periodic reports regarding material cybersecurity risks and incidents that trigger disclosure obligations.”
Public companies must disclose breaches. Much of this is built around the importance of creating internal, comprehensive policies that help business not only reveal breach information to the public but also to help businesses determine when and where the breach occurred.
The report also reminds companies of the potential insider trading prohibitions that could arise with selective disclosures.
So, I’m Giving Bad Guys a Roadmap to Attack Me?
Short answer: No. The guideline discusses how disclosures should not be roadmaps for future cyberattackers.
“We do not expect companies to publicly disclose specific, technical information about their cybersecurity systems, the related networks and devices, or potential system vulnerabilities in such detail as would make such systems, networks, and devices more susceptible to a cybersecurity incident. Nevertheless, we expect companies to disclose cybersecurity risks and incidents that are material to investors, including the concomitant financial, legal, or reputational consequences.”
There should be a balance in what information you divulge to the public while maintaining the integrity of your system. Use your judgment and discuss it with your cybersecurity advisor.
The Big Risk Is Reputational
No matter how damaging the breach may be from a monetary standpoint, another big risk of a cybersecurity breach is reputational. Customer or investor confidence in your business is crucial to your success. A data breach (like the unintended Equifax breach of 145.5 million customers and the intended exposure of 50 million users at Facebook) could send public opinion of the business plummeting.
The SEC’s guideline points out that “the development of effective disclosure controls and procedures is best achieved when a company’s directors, officers, and other persons responsible for developing and overseeing such controls and procedures are informed about the cybersecurity risks and incidents that the company has faced or is likely to face.”
This means that it’s up to you to ensure you have proper cybersecurity tactics, methods of breach detection, and the ability to release disclosures in a timely fashion.
We Want to Help You Manage Expectations
Navigating the current technology risk climate can be confusing. We want to help you with these expectations as your IT advisor. We can help you set up procedures to find and resolve breaches while giving you the best practices for maintaining cybersecurity due diligence with the regulators. Contact KJ Technology today.