The U.S. Securities and Exchange Commission (SEC) recently updated guidance for public companies to adopt a more straightforward approach when disclosing information on cyber attacks, data breaches, or any material security risks or weaknesses.
The SEC’s interpretive guidance is an update to information released in 2011 and is a reminder to companies to account for these security risk and incident considerations when preparing documents to file the with securities regulator. The SEC says companies need to disclose the following:
- Material risks: Items are considered “material” and necessary to disclose if a reasonable investor would consider the information important in making an investment decision.
- Not just data breaches: Companies should inform investors about cybersecurity risks and incidents in a timely fashion, even if they may not yet have been the target of a cyberattack.
- Items that impact investors: They don’t have to disclose details that might compromise cybersecurity efforts (such as technical specifics about their infrastructure), but they do need to disclose cybersecurity risks and incidents that may impact investors—financial, legal, or reputational consequences.
The SEC also stated that companies should consider the following cybersecurity risk factors in disclosure:
- Previous cybersecurity incidents (including severity and frequency)
- Probability of another cybersecurity incident
- Preventative actions taken to reduce cybersecurity risks and the associated costs
- Potential costs of a cybersecurity incident and costs associated with maintaining cybersecurity protections
- Potential for reputational harm
- Existing or pending laws and regulations that may affect the requirements to which companies are subject relating to cybersecurity and the associated costs to companies
- Cybersecurity incident costs from litigation, regulatory investigation, or remediation costs
“This action by the SEC is a positive step towards creating further accountability and needed transparency in the wake of headlining breaches these days,” said Michael Bruemmer, vice president of Experian Data Breach Resolution.
“Companies should start from the assumption that they will be attacked and have a comprehensive incident response plan in place. That plan needs to include a consumer notification process, especially when sensitive data such as Social Security numbers and financial information is corrupted. Regulation or industry standards, like what the SEC is doing, helps all stakeholders from experiencing material damage and ensuring transparency from company officers.”
The new update is a timely cue for companies as 70% of company executives said their company had multiple data breaches last year according to “The Fifth Annual Study: Is Your Company Ready for a Big Data Breach?,” sponsored by Experian Data Breach Resolution and conducted by the Ponemon Institute. The same survey also found that 66% of companies had not scheduled time to update or review their data breach plan, despite more than half of those companies (56%) reporting that they experienced a breach.
What Else Are Companies Required to Do After a Data Breach?
Currently, 48 states, including the District of Columbia, Guam, Puerto Rico and the Virgin Islands have laws in place that require companies to send data breach notifications to consumers when their personally identifiable information may have been compromised. (Alabama and South Dakota are the two states that currently don’t have any laws on the books related to data breach notifications.)
Consumers should be aware of their rights under the Fair Credit Reporting Act and the data breach notification laws by state. Typically, the state laws have conditions around who must comply and what information must be shared with consumers, such as:
- Businesses (public and private) including government entities
- Definition of “personal information” involved such as name, Social Security number, Driver’s license or State ID and account numbers
- What constituted a breach or unauthorized acquisition of data
- Requirements for sending notices to consumers such as timing, the method of notice, and who must be notified
- Potential exemptions over whether the information was encrypted
What to Do if You’re the Victim of a Data Breach
For consumers, getting caught up in a data breach can start a long journey of trying to protect their identities and personal information that can last years. If you are a data breach victim, here are some resources to help recover and protect yourself from additional damage: