IT Insights Updated SEC Cybersecurity Guidance Are You in Compliance?
EQUIFAX STOCK FELL 35% after a massive data breach was revealed — and at least one executive is facing criminal charges. Target’s quarterly net earnings plunged 46% following the news that credit card information had been compromised for as many as 110 million customers. Facebook’s handling of private information, although not technically a breach, has caused serious damage to its reputation and resulted in founder Mark Zuckerberg being called before Congress. Such threats are not new. In 2011, the U.S. Securities and Exchange Commission (SEC) released a set of guidelines for how public companies should disclose cybersecurity risks and breaches to their shareholders. At that time, organizations were beginning to recognize just how much of an impact cybersecurity (or lack thereof) was having on their earnings value. Seven years later, the threats are more obvious and the public has higher expectations for how companies will protect their data. The SEC has also updated its cybersecurity guidance. The new guidance became effective February 28, 2018, and public companies should make sure their policies and procedures enable them to comply.
What Changed? THE SEC, PLAIN AND SIMPLE, WANTS MORE thorough reporting. Not only will public companies have to report cybersecurity risks they face, but they will also be expected to disclose, in detail, how they are guarding against future breaches. While the SEC recognizes that no system is infallible, they do expect public companies to prove that they are doing their absolute best to prevent breaches, and reporting breaches promptly when they do occur. Insider Trading Insider trading is obviously a major concern for the SEC. The highly publicized Equifax breach revealed suspiciously timed trades by its executives, and in March 2018, one of the company’s chief information officers was charged with insider trading. The new guidance hits this recommendation hard, repeatedly emphasizing the importance of policies to prevent insider trading and to prevent selective disclosure of material information. The SEC has not historically required specific policies, instead embracing a more principles-based approach; nevertheless, the agency will scrutinize the policies that companies implement. Prevention and self-examination are wise strategies, such as employing a third party to examine off-schedule trades that occurred around the same time as a breach.
IT Insights: Updated SEC Cybersecurity Guidance Breach Disclosures The dominant theme of the SEC’s guidance is that companies have a duty to make full and immediate disclosure of cybersecurity breaches. As we mentioned in this 2017 article on newsworthy cybersecurity events, the Yahoo breach that began in 2013 took years before it was revealed to the public. Such slow response times negatively affect investors. The SEC is not the only agency requiring companies to make prompt disclosures; the European Union passed a law that has recently taken effect, the General Data Protection Regulation (GDPR). That regulation, which is attracting consumer attention with the privacy notices now flooding users’ inboxes, requires a breach to be reported within an extremely short 72-hour time frame. Without setting a specific deadline in hours or days, the new guidance emphasizes that companies must immediately disclose material facts. The SEC recognizes that data breaches are often intricate, that discovery is very rarely instantaneous to the breach, and that impacts are not always immediately known. Nevertheless, the new guidance repeatedly emphasizes the importance of fully and immediately disclosing information about material facts and risks, even before all information is known. The guidance explicitly states, “an ongoing internal or external investigation … would not on its own provide a basis for avoiding disclosures of a material cybersecurity incident.” That means that companies cannot delay disclosure while they investigate and plan a response. Instead, the SEC guidance says,
“
In determining their disclosure obligations regarding cybersecurity risks and incidents, companies must generally weigh, among other things, the potential materiality of any identified risk and, in the case of incidents, the importance of any compromised information and of the impact of the incident on the company’s operations.
”
The urgency and breadth of these disclosures make prevention and planning particularly critical.
2
IT Insights: Updated SEC Cybersecurity Guidance Ongoing Financial and Risk Disclosures In its guidance, the SEC sets expectations for evaluating cybersecurity risk factors that must be disclosed under Regulation S-K and Form 20-F. It will not be adequate to make a generic statement that a company is subject to cybersecurity risks. Instead, companies will be expected to disclose past or ongoing incidents “in order to place discussions of these risks in the appropriate context.” Cybersecurity costs must also be incorporated into the company’s financial reporting, including both ongoing protection efforts and costs associated with remediating past events.
The Big Picture THE SEC’S STRONG STANCE on cybersecurity risk reporting shows that the government is taking more action to protect investors from these very real threats. In fact, the SEC is only one player among many in this fight. Another U.S. agency called the Public Company Accounting Oversight Board (PCAOB), which was established by Congress to oversee financial statement audits, has also stated that cybersecurity is an “evolving risk area” that should be of concern to the general public. In its latest guidance, the SEC has continued to follow its traditional principles-based approach. This approach allows companies that face different risks to implement a solution that works well for them; nevertheless, companies should note the agency’s obvious concern. Public companies should act soon to confirm whether their policies and procedures will ensure prompt, complete disclosure, prevent insider trading, and create strong barriers protecting customers — and the company — from the serious financial and reputational consequences of cybersecurity breaches.
Further Reading SEC cybersecurity website SEC’s guidance published on February 21, 2018 2011 CF Disclosure Guidance, Topic No. 2 Analysis: How data breaches affect stock market share prices (July 11, 2017)
Is this a risk to your company? The SEC guidance described here applies to companies whose use of data is material to their value and therefore to investors. If your company doesn’t store significant amounts of sensitive customer data, such as credit cards or personal information, and a data breach would not significantly disrupt your operations, this cybersecurity guidance may not present a major concern. If you’re not sure, contact the Weaver team for more information.
3
IT Insights: Updated SEC Cybersecurity Guidance
About Us Weaver’s IT advisory services group focuses on delivering performance-enhancing consultations that address your IT and business agendas. We work directly with CIOs and others to create a more risk-aware, effective IT organization that can drive process efficiencies throughout your company and better support and deliver transformational business change. Specific services we provide include: • Application controls review • Business continuity/disaster recovery • Cloud computing assessment • Data analytics • Data privacy • Information security and vulnerability assessment • ISO27001 reviews • IT audit • IT governance and organizational effectiveness • IT risk assessment • Pre- and post-implementation application reviews • System and Organization Controls (SOC) reporting
Disclaimer: This content is general in nature and is not intended to serve as accounting, legal or other professional services advice. Weaver assumes no responsibility for the reader’s reliance on this information. Before implementing any of the ideas contained in this publication, readers should consult with a professional advisor to determine whether the ideas apply to their unique circumstances. © Copyright 2018, Weaver and Tidwell, L.L.P.
4 www.weaver.com | 800.332.7952
CONTACT US Brittany George, CISA, QSA Senior Manager, IT Advisory Services brittany.george@weaver.com Neha Patel, CPA, CISA Partner, IT Advisory Services neha.patel@weaver.com Brian Thomas, CISA, CISSP, QSA Partner, IT Advisory Services brian.thomas@weaver.com Reema Parappilly, CISA Partner, IT Advisory Services reema.p@weaver.com