Since the birth of the internet, cybersecurity has been an important topic. Just as companies are working hard to protect their confidential information from hackers, cybercriminals are working hard to get around these defense measures. As an increasing percentage of the world’s economy runs through electronic communications and the digital environment, cybercrimes will only become more common.
Now, the SEC has issued guidance on cybersecurity risk management, and amendments have been proposed related to new rules on cybersecurity. Given the growing threat of cyberattacks, companies must be aware of emerging rules and regulations related to cybersecurity as well as best practices they can follow to protect their information.
Cyberattacks Are Only Becoming More Common
Hackers are using increasingly sophisticated methods to circumvent digital security measures that companies put into place. A few examples of cyberattacks include ransomware, data breaches, SQL injections, and phishing attacks. Public companies of all shapes and sizes have been targeted in a variety of cyberattacks, and they could threaten the future of companies as well as their customers.
If a company is struck by a cyberattack, there are a variety of consequences they might experience. A few examples include:
- Significant expenses related to decreases in production, delayed product launches, and business interruption
- Repair costs related to replacing damaged hardware and software
- Lost revenue due to lost faith from customers who will likely go somewhere else
- Ransom and extortion payments related to a ransomware attack
- Increased cybersecurity costs to strengthen defenses moving forward
- Potential legal expenses related to litigation and civil action
- Lost market value due to a plunging stock price
Because of the major risks stemming from cyberattacks, it is incumbent on companies to ensure they have strong digital security measures in place. Now, the SEC might increase regulatory standards to ensure companies follow cybersecurity best practices and disclose their digital security measures.
Current Guidelines From the SEC
Even though the SEC does not have any disclosure requirements in place, the SEC has issued guidelines. According to a release from 2018, the SEC has encouraged companies to consider cybersecurity disclosure in areas such as:
- Regulation S-K Item 105, which relates to cybersecurity risk factors
- Regulation S-K Item 303, which relates to the cost of cybersecurity efforts and prior incidents
- Regulation S-K Item 101, which relates to cybersecurity incidents that impact the company’s products and services
- Disclosures related to pending legal proceedings related to cybersecurity Issues
- Regulation S-K Item 407, which relates to cybersecurity oversight
Thus far, cybersecurity disclosure from publicly held companies has been inconsistent and typically includes boilerplate language.
New Amendments Proposed by the SEC
Now, because cyber security is a growing issue, the SEC has proposed amendments to Form 8-K. These amendments would require disclosure of material cyber security incidents. Companies would be required to:
- Update disclosure using periodic reports about prior cybersecurity incidents
- Describe the policies and procedures they have in place for identifying and managing cybersecurity threats
- Disclose how the board oversees and manages cybersecurity risk
- Discuss the expertise that managers have in implementing various cybersecurity policies, procedures, and strategies
Even though the public comment period for these proposed amendments has passed, the SEC has not yet released a final ruling on whether the amendment will go into effect and what portions of the proposals above will be included.
Cybersecurity Reporting Is Becoming Increasingly Important
Given the material threat posed by cybersecurity issues, more regulations from the SEC could be coming. To ensure your company is filing your EDGAR Reports correctly to the SEC, work with the team from Colonial Stock Transfer, and rely on our expertise to help you.