This summer, the US Securities and Exchange Commission (SEC) signaled a significant change in how it thinks about what constitutes a threat to companies: It now considers cyber vulnerabilities to be an existential business risk. This was evident in fines levied against two companies over inadequate disclosures of cybersecurity issues—British publishing company Pearson and First American Financial. In mid-August, the SEC announced that Pearson had agreed to pay $1 million to settle charges that it misled investors following a 2018 breach and theft of millions of student records. And in June, the SEC announced another settlement and $500,000 fine against real estate services company First American Financial for lack of disclosure controls following the discovery of a vulnerability in its system that exposed 800 million image files, including Social Security numbers and financial information.
These fines signal a major shift, and one that could profoundly change the way companies think about cybersecurity threats, communicate internally about these threats, and disclose breaches.
Businesses are required to properly disclose “risk factors” in SEC filings to inform the investing public about the risks that may come with the stocks they purchase. These risks can include competitive threats, natural disasters, supply-chain issues, economic downturns, political events, public-health issues, trade wars, and cybersecurity incidents. Disclosures detail the operational risk investors face from the threats and detail their potential effects on the company’s critical business operations, revenue, market share, and reputation. While companies have to maintain proper controls for how they disclose the information to regulators, historically there have been few regulatory repercussions from the SEC for companies that suffered cyberattacks.
This, of course, was never sustainable. The Securities and Exchange Act of 1934 was created to ensure transparency and fairness in the capital markets. While the act doesn’t specifically require companies to disclose cybersecurity incidents, the SEC has been ramping up its warnings that it considers them a serious issue. In 2011, the agency clarified that significant cybersecurity-related risks and incidents need to be disclosed. And a 2018 update to guidance cited the “ongoing risks and threats to our capital markets” from cybersecurity incidents.
These updates—and their emphasis on the real risks that lax cybersecurity poses—reflect the state of the world right now. Just like natural disasters and supply-chain shortages of components such as semiconductors, cybersecurity breaches can ultimately harm a company’s financial condition and share price. In addition to the costs of remediation from a cyberattack and loss of customers, revenue, and reputation, there could be shareholder lawsuits, customer lawsuits, increases in insurance premiums, and increased scrutiny from external auditors and the board of directors. There are indirect consequences as well: Cyberattacks can distract management, causing new problems; they can also trigger customer audits of a company’s cybersecurity defenses, which can lead to the involvement of outside counsel and other third parties, and significant added expenses.