How can the SEC become the primary regulator of corporate cyber security?

How can the SEC become the primary regulator of corporate cyber security?
Written by Ben Fagan
VP, Corporate Strategy & Chief of Staff

In 2011, the SEC issued a set of disclosure guidelines that told companies to disclose any potential cyber risk, possible effects of that risk, as well as the status of internal controls and risk management procedures in place. It was a grand idea, one that had the potential to protect investors and boards by keeping them in the loop when it came to matters of security. Unfortunately, its grand potential wasn’t brought to fruition. The guidance was never updated to account for the growing frequency of security breaches, and companies were failing to report cyber incidents. Now, the SEC is revisiting the issue and considering turning those guidelines into standards so that companies will have to live up to the level of transparency their investors have come to expect.

Guidelines vs. Standards

Target’s infamous security breach in 2013 was a highly publicized event. Some have questioned why it took Target four days to publically disclose the breach of its customers’ sensitive information, saying that the retailer had the responsibility to inform customers as soon as the problem was discovered. According to CNBC, Target Chairman and CEO Gregg Steinhafel, claims the four day period from security breach to public disclosure was actually fast, considering the retailer identified, investigated and took security actions during that period.

John Mutch, CEO of BeyondTrust, reported to Forbes that 27 of the largest companies that reported cyber breaches claimed to have suffered no financial losses. Evidence, however, indicated otherwise. Sony doled out $171 million to clean up their incident, while Heartland Payment Systems lost an estimated $140 million.

Can New Regulations Accelerate the Cyber Incident Disclosure Process

New legislation requires critical infrastructure organizations to disclose cyber incidents to the government within 72 hours. Bitsight research shows that might be easier said than done.

Breach transparency standards would make it harder for companies to keep the public and their shareholders in the dark about financial losses and potential cyber threats.

Benefits to Shareholders

Is it in the best interest of shareholders for the SEC to set minimum standards rather than guidelines? Douglas Meal of the law firm Ropes & Gray doesn’t think it really matters. According to him, most big businesses don’t see their stock prices plummet after announcing a cyber breach.

On the other hand, businesses such as Target acknowledge that cyber breaches could potentially cost them money and the confidence of their customers. Considering this and the company’s reluctance to be transparent about its major data breach, what should motivate them to be forthcoming with material loss reports?

No matter how effective or ineffective the SEC’s standards would be, one thing is certain: a minimum standard for breach transparency would hold companies accountable for their security procedures, making it more likely that they would regularly measure security performance.

Rather than be subject to investigation by the SEC, companies would hopefully opt to improve their standing with the Commission and shareholders by properly reporting security breaches.