Reading time: 1 minute 30 seconds
Disclosing cyber-risks and recent hacks is becoming a prominent request from investors, lenders, and other stakeholders. Stakeholders want more information than most companies are providing. The Securities and Exchange Commission (SEC) is working to refresh and improve the guidance on these disclosures.
The current guidance on cybersecurity was published in 2011. The policy does not contain a specific requirement for the reporting of computer system intrusion. Attacks to computer systems are becoming common for public companies. SEC requirements have not caught up to the level of security concerns, and most companies are not disclosing attacks quickly or with adequate information.
The SEC is not planning to overhaul its Disclosure Guidance: Topic No. 2, cybersecurity. They are examining whether the existing rules require important information to be disclosed to stakeholders. This might include companies increasing their management’s discussion and analysis, and footnoting disclosures to reflect potential cyber risks and material financial implications of data breaches.
SEC regulators aren’t yet sure if the update will be issued as a regulatory release approved by the SEC’s commissioners or staff-level guidance. They are certain that two key issues will be addressed in the updates: 1) financial reporting controls and procedures identifying and disclosing cybersecurity threats promptly and 2) corporate strategies and policies regarding cybersecurity prevention, detection, and breach response.
Companies often welcome additional SEC guidance, as it can be challenging to determine the appropriate time to disclose a security breach to their systems. Companies feel responsible to share relevant information honestly and openly with their stakeholders. However, companies also do not want to disclose information about a breach before knowing the extent of the damage, because this makes them unable to provide accurate information. Sometimes, companies don’t release information because they are working with law enforcement, and disclosure to stakeholders could compromise an investigation. Often breaches involve law enforcement.
It is important that any company have a team of advisors, including legal, insurance, and financial experts, to identify risk factors and to manage a breach response. This includes measuring the impact, and mitigating potential losses from the breach. We can help you manage your cybersecurity information to shareholders in an open and timely manner. Contact us at 818-334-8623 or click here, and we will contact you.