By, Bloomberg BNA
Data and email breaches like those recently reported by Equifax, Deloitte, and Uber are on the rise, and this has regulatory officials at the U.S. Securities and Exchange Commission ready to assess cyberattack disclosures with fresh eyes.
There is no question that reporting breaches is a must for companies and consumers, but it’s the “what,” “when” and “how much” information to report that is often at issue. Equifax took three weeks to disclose its data theft after the breach reportedly became known on July 29, while Uber reportedly didn’t tell anyone its customers’ personal data was hacked for a year. The SEC even announced earlier this year that one of its own systems had been breached.
Although there are no disclosure requirements for companies that specifically refer to cybersecurity or such threats, a number of requirements impose an obligation on companies to divulge ‒ as soon as possible ‒ risks and incidents that impact their financial wellbeing, as well as their customers.
In October 2011, the SEC issued guidelines when it became concerned with the risks posed by digital technologies that companies use to conduct their operations. But these guidelines were issued by the agency’s Division of Corporation Finance, not its commissioners. In November, that division’s director said the agency may again look at these issues in 2018.
The SEC included cybersecurity in its 2016 and 2017 Office of Compliance Inspections and Examinations reports as an area of focus. SEC chairman Jay Clayton said in September that on the issue of cybersecurity, and “with respect to U.S. public company issuers, the SEC's primary regulatory role is disclosure based.”
The scope of the problem and the potential impact on markets will be different in 2018. Security companies, watchdogs, and regulatory officials seem to agree that cyber threats to companies, both large and small, are growing, and these attacks are coming more and more frequently to cloud-based servers and email.
“The scope and severity of risks that cyber threats present have increased dramatically” and “efforts are continuous and evolving,” Clayton said.
Government officials are also concerned about nation-state hackers who seek to compromise companies, government agencies, and businesses. The President’s National Infrastructure Advisory Council said in its 2017 report, “As a nation-state cyberattack on U.S. infrastructure places private companies on the front line, this presents a national security challenge unlike any other.” The Council noted that federal and private roles in defending these systems should be “aligned and mutually supportive.”
Some critics say private sector vigilance is not sufficient. “The public should have no confidence whatsoever in the companies collecting, storing, transmitting, or processing their metadata,” noted the Institute for Critical Infrastructure Technology, a cybersecurity think tank, in a report referring to Equifax and other data holding companies. These organizations “have a long and sustained history of operating insecurely,” the report said.
Breaches that reveal consumers’ financial and personal information create obvious risks for individuals. For companies charged with protecting their information, the financial costs associated with such breaches can be extensive. Regulators want companies to see increased and early reporting of cyberattacks as the right business approach, and one that benefits a firm’s bottom line.