17 September 2023

Cyber risk is business risk, and the SEC knows it

CHRIS INGLIS

A long overdue policy change to improve corporate governance on cybersecurity is taking effect.

At the end of July, the Securities and Exchange Commission adopted new rules requiring publicly traded companies and foreign private issuers to disclose material cybersecurity incidents; they are also required to annually update their cybersecurity risk management policies and governance. These companies are drivers of innovation and critical to the strength of the U.S. economy. It is in the public interest that they take corporate responsibility for their cybersecurity.

This guidance comes none too soon, as American businesses are under an unprecedented level of cyber threat. Compromises of personal data are a daily occurrence. Ransomware attacks are up and increasingly costly to address. Cyber theft of proprietary information is persistent. Foreign nations are installing malware to facilitate future malicious activity. And because of our perpetually increasing network integration (which fuels economic growth), the consequences of successful cyberattacks are also growing exponentially.

When we served together on the congressionally mandated Cyberspace Solarium Commission, we discussed how the federal government could mitigate systemic cyber risks. We, just like the SEC, recognized that corporate accountability and transparency can prevent an Enron-level crisis to markets caused by a single cyberattack or series of attacks

More than a decade ago, the SEC first issued guidance saying that cyber incidents could constitute material events that required disclosure to shareholders. In 2018, the SEC issued additional guidance that companies should disclose cybersecurity risks and incidents. Indeed, many companies already take these issues very seriously. As SEC Chair Gary Gensler noted, “many public companies provide cybersecurity disclosure to investors.”

The problem is that disclosures have been inconsistent. Some companies provide timely and informative disclosures. Others offer up only the bare minimum amount of information. The SEC’s latest rule attempts to harmonize and clarify previous cybersecurity governance and reporting requirements so that companies and their investors know what to expect.

Armed with more information, investors can reward companies that take cybersecurity seriously. Until now, investing in cybersecurity improvements was often viewed as a drag on the balance sheet. The new rules can flip the script, motivating companies to improve their cybersecurity posture.

The rules will only be as good as the SEC’s enforcement of them. Despite the 2011 guidance, it was not until 2018 that the SEC fined Yahoo! Inc. for failing to disclose a 2014 data breach to its shareholders. Rules are only meaningful if actors are held accountable for breaking them.

The new SEC rules are not just about forcing companies to fess up when they have had a breach. Rather, the SEC is focused on corporate responsibility. The new rules also require companies to describe their internal processes to assess, identify and manage material risks from cybersecurity threats and how the board of directors remains informed and provides oversight of cybersecurity risks. This requirement is an acknowledgement that a company’s cyber posture is not just the domain of the chief information security officer. Ultimately, responsibility lies with senior corporate officials and the board. For this reason, it is disappointing that the final rule omits earlier provisions that would have required companies to disclose board members’ cybersecurity expertise. This would have helped ensure that the board understands the oversight it is supposed to be providing.

The rules became effective September 5, and companies will begin submitting disclosures in December. Soon, policymakers and the public will be able to measure how cyber risk impacts financial operations, which raises an old, thorny issue — how can the information collected be used constructively for strengthening cybersecurity?

On the Cyberspace Solarium Commission, we suggested that such data could be used by a proposed Bureau of Cyber Statistics, which could analyze and disseminate data on cybersecurity, cyber incidents and the cyber ecosystem to investors, the public, policymakers at the federal and local levels and even the insurance industry, which is lacking in accurate risk models.

The SEC rules alone will not solve national cyber resilience issues. To be sure, the rules appropriately emphasize the role that public companies must play in protecting customer information, digital assets and shareholder equity entrusted into their care. But the vast majority of public companies operate on digital and critical infrastructure developed, delivered and sustained by others. They cannot be expected to bear the entire burden of ensuring inherent resilience in our digital underpinnings.

We must also address the essential and complementary roles of those in the digital supply chain that provide the hardware, software and cloud services essential to every facet of our daily lives so that operating companies and individuals are not left holding the bag as the first and last point of our cyber defense.

No comments: