Rethinking cybersecurity disclosures to investors

The Securities and Exchange Commission (SEC) issued interpretive guidance in February 2018 that challenges senior executives and boards of directors to improve disclosures to their investors around cybersecurity risks and incidents. Understanding rising expectations in this arena is critical for companies as cybersecurity threats and incidents continue to grow more frequent and consequential.

What executives and boards need to know about the SEC's guidance

Many senior executives and corporate boards face the challenge of answering a new call to action by the Securities and Exchange Commission (SEC) to improve disclosures to their investors around cybersecurity risks and incidents. The call to action came in the form of interpretive guidance on cybersecurity disclosures issued by the SEC in February amid growing market concerns around cyber incidents. How should senior executives and boards respond? Understanding what’s new compared to the 2011 staff-level SEC guidance is the first step.  

The updated guidance adds two specific considerations that were not addressed in the 2011 guidance:

  1. It explains that firms should have policies and controls in place to detect and disclose material cybersecurity risks and incidents, and notes that existing certification requirements for chief executive officers (CEOs) and chief financial officers (CFOs) include certifying the effectiveness of these cyber policies and controls.
  2. The guidance says firms should adopt policies to prevent employees from trading with knowledge of nonpublic information regarding cybersecurity risks and incidents, including when there is an ongoing cybersecurity investigation.

The guidance also explains that existing disclosure requirements around board oversight of risk management should include the board’s role in overseeing material cybersecurity risks.

Perhaps most notably, the guidance acknowledges that most companies are including cyber-related content in their regular disclosures; however, the SEC noted that such disclosures mainly focus on broad risk factors and contain boilerplate language that does not provide investors with adequate level of detail describing how companies will handle cyber incidents.

To understand what the regulator expects of companies, the SEC included in its guidance a number of examples of cyber disclosures companies could use when revisiting how they disclose cyber controls and policies to investors.

What the SEC’s guidance means for business

The SEC has made it clear that firms should be taking cybersecurity controls and policies seriously, informing firms of heightened standards moving forward. Firms should continue reassessing both the content of their disclosures and the controls, policies, and procedures they will use to monitor their cybersecurity risks. At a bare minimum, the SEC has clearly laid out expectations for senior leadership such as the C-level executives and boards of directors, to attest to their cybersecurity programs and provide more information to the investing public in regularly scheduled disclosures. Further, the SEC’s guidance will likely require additional internal audit functions, including internal assurance programs, performing a deep dive into the cybersecurity program review process.

Unlike companies in other sectors, financial institutions may have a head start addressing the SEC guidance as they have already been working to meet the New York Department of Financial Services’ (NYDFS) cyber risk assessment, board reporting, and officer attestation requirements. Specifically, NYDFS requires that financial institutions conduct periodic cybersecurity risk assessments that identify cyber risks, evaluate existing controls, and provide mitigation procedures for such risks – and to have a member of senior management certify they are in compliance with the regulation.

Efforts to comply with the NYDFS requirement that firms present an annual report to the board on cyber risks and the effectiveness of the cybersecurity program will likely help financial institutions comply with the SEC’s board oversight guidance.

Next steps for business leaders

Though the SEC’s guidance may nudge reluctant firms into reassessing their cyber risk controls and policies, companies hoping to gain the trust of the investing public should have already begun increasing their cybersecurity measures. A PwC investor survey finds that investors believe cybersecurity should be the top priority for companies, but only 25% of US consumers say they believe companies handle sensitive personal data responsibly.

A key challenge for CEOs is moving from awareness of cybersecurity challenges to proactive management of cyber risks. Only 52% of North American CEOs say they are investing in cybersecurity to a large extent and only 34% of North American CEOs say they are building trust with customers by increasing transparency in data use and storage to a large extent, according to PwC research.

If the SEC’s guidance does not prompt boards of directors and senior executives to begin disclosing more information of how companies are handling cybersecurity risks, then demand from the investing public should prompt appropriate action.

Additionally, boards of directors should increase executive accountability by laying out clear and actionable steps for strengthening data privacy and protection. Individual directors and the board as a whole should take proactive steps to address potential cyber risk. Many of these practical steps — such as preparing for more cybersecurity related engagement between the board and senior executives — can be integrated into existing business operations.

Other proactive steps could include the use of advanced authentication technology or cyber attestation and related policies. For more information on how boards of directors and senior executives can change their approach to cybersecurity risk management, read The Global State of Information Security Survey®.

Companies should also consider whether they need to revisit or refresh previous disclosures, including during the process of investigating a cybersecurity incident, and whether they need to file a Current Report on Form 8-K relating to information that reasonable investors would want to know.

Follow us