Reach Out
  • Thought Leadership

Disclosure of cyber risks and incidents by public companies

FBI released an alert warning that ransomware actors are seeking to exploit significant financial transaction events

 

What happened?

Earlier this week, the FBI released an alert warning that ransomware actors are seeking to exploit significant financial transaction events and stock valuation to extort victims, including malware specifically written to look for 10Q/10K earnings release information, and information disclosure threats intended to impact share price.

Why is it important?

This alert will heighten attention on management and disclosure of cyber risks and incidents by public companies. Earlier this fall, U.S. Securities and Exchange Commission (SEC) Chair Gary Gensler stated that the Commission plans to release a notice of proposed rulemaking (NPRM) meant to provide investors with increased transparency into cyber risk amid a global surge in cyberattacks across business sectors. In terms of scope, Gensler noted that the forthcoming proposal œ¦could address issues such as cyber hygiene and incident reporting. The expected rule was also referenced in October 2021 remarks by Commissioner Elad Roisman.

Because the new rule likely will be issued as an NPRM, industries will be permitted to provide comments before finalization. This rulemaking will formalize expectations previously articulated through interpretive guidance, and it follows on the heels of a number of recent enforcement actions.

  • In 2018, the SEC released guidance on public company cybersecurity disclosure requirements. This guidance highlighted the importance of comprehensive cyber policies and procedures with a focus on timely disclosure of material cyber risks and incidents. It also called attention to insider trading prohibitions based on proprietary knowledge of cybersecurity risks and incidents. The impetus for the 2018 guidance was a series of high-profile cyber incidents at companies where senior leadership delayed notification of compromises to the public or sold company stock after the discovery of the breach but before public notice.

The SEC has also brought multiple actions charging deficient cybersecurity practices against both investment advisors/broker-dealers as well as public companies.

  • In August 2021, the Commission sanctioned three sets of investment advisors and broker-dealers in relation to cyber incidents. In all three cases, cloud email accounts had been compromised, resulting in the breach of customer and client personally-identifying information (PII). According to the SEC complaints, insufficient protections were in place to secure the accounts, and monetary penalties resulted in each case.
  • Also that month, Pearson PLC paid $1 million in fines as a settlement based on charges brought by the SEC in relation to a 2018 cyber incident. The Commission alleged that the educational publishing company overstated cybersecurity protections (e.g., a critical vulnerability was left unpatched for six months after initial notification) and misled the public and the company™s investors about the nature of the breach by downplaying the extent of the information stolen by the attackers.

What to do about it?

These recent developments underscore the importance of both threat-informed defense and focused cybersecurity governance measures.

While public companies wait for the specifics of the rule, they can take proactive steps to prepare by following the baseline measures described in the 2018 interpretative guidance.

  • In terms of disclosure, a threshold question is one of materiality – i.e., if there is a “substantial likelihood that a reasonable investor would consider the information important in making an investment decision or that disclosure of the omitted information would have been viewed by the reasonable investor as having significantly altered the total mix of information available.
  • The guidance goes on to explain that, as a part of a materiality analysis, “a company should consider the indicated probability that an event will occur and the anticipated magnitude of the event in light of the totality of company activity.”
  • Potential consequences include harm to a company’s reputation, financial performance, and customer and vendor relationships, as well as the possibility of litigation or regulatory action.
  • The guidance also lays out an expectation that public companies disclose the extent of the board of directors’ role in overseeing the company, in particular regarding cybersecurity risk.

The following questions can be instructive in helping boards and senior management unpack cyber risk:

  • Based on our business profile, what should we consider as reasonably foreseeable threat actor interest in our critical processes and data?
  • Can we measure cyber risk in economic and business terms and report to senior management and the board in a timely fashion?
  • Does our security approach provide reasonable coverage against likely threat tradecraft? How do we weigh tradeoffs in alternative security investments?
  • Are the security countermeasures we have in place actually effective?
  • Are we prepared if things go wrong?

Effective oversight of cybersecurity initiatives and understanding of cybersecurity risks requires a background in these issues, and yet cybersecurity expertise is often lacking on corporate boards. A study conducted by EY of 76 Fortune 100 companies between 2018 and 2020 found that only 46% of the companies studied listed directors with some degree of cybersecurity experience or knowledge in their biographies.

Preparedness…and its relationship to timeliness.

Since there is no such thing as risk elimination, resiliency becomes critical. Management and boards should thus have a firm view of the effectiveness of preparedness, response, and recovery capabilities, for two reasons. First, being prepared helps limit the extent of actual harm to the company. Second, management’s ability to effectively manage a crisis “ cyber or otherwise “ serves as a proxy for its broader management capabilities and thus influences the brand’s reputation.

Years ago, in its 2012 Reputation Review Report, Oxford Metrica analyzed long-term market value impacts of major corporate crises (cyber and non-cyber) and found that œ[a]t times of crisis, substantially more information is forthcoming on a company and, in particular, on its management, than is usually available. This new information is used by investors and other stakeholders to re-assess their expectations of future behavior and performance. The report went on to conclude: “It is in the first few days following an event that the market makes its judgment on whether a company is going to emerge as a Winner or a Loser.”

Most large companies now understand that having an incident response plan is table stakes. But having an incident response plan is no guarantee of effectiveness.

Rather, key escalation triggers must be defined and understood – for example when a vulnerability crosses over into a breach. Key personnel must, through training and exercises, understand their roles and key decisions to be made in a crisis “ including when to call in outside help. And technology should be architected to anticipate that incidents will occur and thus facilitate quick response and recovery.

In these ways, the SEC’s timeliness expectation becomes less of an issue because the incident investigation does not linger over an extended period. Likewise, expectations around materiality and insider trading are anticipated as part of preparedness planning.

For more information please contact us at info@chertoffgroup.com

Recent Stories

View All
Load More
The Chertoff Group

Our goal is to provide a solution tailored to your needs. Contact us today for a consultation. 

How can we help?

Fill out the information below. Provide as much detail and a team member will respond as soon as possible.