The Securities and Exchange Commission said last week that it’s planning fresh guidance to help companies understand their duties to disclose cybersecurity trouble. Compliance officers should brace themselves— what’s coming will probably be quite different from the usual SEC guidance, and it underlines just how difficult “disclosure compliance” can be.
First, consider what the SEC said. All we have are remarks that Bill Hinman, director of the Division of Corporation Finance, gave extemporaneously at a conference in New York. He warned that the guidance won’t define what a “material” cybersecurity incident is; rather, it will dwell on what internal processes and controls a company should have to evaluate a cybersecurity event.
As quoted in the Wall Street Journal, Hinman wants norms to assure that “when an event happens, that it is looked at by the right levels of management with an eye toward how… [it] impacts the business.”
What are the compliance and security implications of that? A few…
Diagnosing an event will be critical. The right levels of management can’t look at an event, if the organization doesn’t know how severe the event was and therefore which managers should review it. This point is more the CISO’s purview than the compliance officer’s, but you won’t be able to fulfill your disclosure duties if the CISO’s ability to diagnose a breach is weak— so do him or her a solid, and stress the importance of that point next time you’re talking cybersecurity with the audit committee.
Escalation procedures will be critical. Even when a breach is correctly identified by the IT or security teams, it will still to reach the proper level in the chain of command for a response. What’s more, the more severe the breach is— and therefore, the higher up the chain of command it needs to go— the more senior management needs to appreciate the breach in business terms, rather than technical terms.
Will this event trigger a disclosure requirement? Will it lead to regulatory investigations? Will we need to consider firing the CEO? Will it curb our growth expectations for next year? Will we have to report those lower expectations in the next earnings call?
The compliance officer doesn’t answer those questions. You do, however, need to ensure that the company can answer them, in a timely manner, when the breach strikes.
Look Beyond the SEC
We also need to remember the conundrum for SEC and company alike: a cybersecurity breach that’s material to consumers, under consumer protection laws at the state or industry level, might not be material to investors under federal securities law.
And I use the word “might” deliberately here. I don’t believe any of us really know the answer yet.
For example, the Equifax breach earlier this year, exposing the personal data of 143 million Americans, certainly feels material to the affected consumers. Equifax will need to go to great lengths to alleviate the harm it has caused them.
But as Equifax reported last week, the breach cost $87.5 million in the third quarter—not quite 3 percent of its $3.14 billion in annual revenue. That amount isn’t material. Will there be more costs in the future? Probably, but we don’t know how much. Then again, the company has also lowered its growth projections, and fired its CEO. Those are material events, and they’re foreseeable material risks, too.
So what’s the proper way to assess cybersecurity risks under securities law? How might those controls overlap with your processes for breach disclosure under consumer protection laws?
Perhaps we’ll get a better sense of that when the SEC publishes its promised guidance. More likely, compliance officers will still be struggling with it long after that.