The US Securities Exchange Commission has joined a growing number of regulatory agencies in expressing interest in cybersecurity issues. As the foremost regulator of public companies, the SEC has a broad jurisdictional reach and enforcement powers that many other agencies lack. While no detailed regulations have been enacted, the SEC has issued guidance noting that cybersecurity issues should be disclosed as risk factors to the extent they are significant under Regulation S-K.
However, many organizations lack the procedural and technical frameworks necessary to identify key information assets and significant risks to the organization that should be disclosed under Regulation S-K. This White Paper highlights the critical aspects of the SEC’s cybersecurity guidance and how directors can maintain compliance and reduce shareholder risk.
Cybersecurity is an increasingly major issue affecting every element of the publicly traded markets. The value of investor holdings is directly impacted by risk affecting digital assets.
On October 13, 2011 the Division of Corporation Finance at the Securities and Exchange Commission (SEC) issued non-rule, non-regulation, non-statement guidance regarding disclosure obligations relating to cyber security risks and cyber incidents.1 The guidance notes that securities laws are designed to elicit disclosure of timely, comprehensive and accurate information about risks and events that a reasonable investor would consider important to an investment decision and cyberscurity risks and events are not exempt from these requirements. Disclosures of cybersecurity risks and events may also be necessary to prevent other required disclosures from being misleading.
The SEC cybersecurity guidance identifies six areas where cybersecurity disclosures may be necessary under Regulation S-K: 1) Risk Factors; 2) Management’s Discussion and Analysis of Financial Condition and Results of Operation (MD&A); 3) Description of Business; 4) Legal Proceedings; 5) Financial Statement Disclosures; and 6) Disclosure Controls and Procedures.
Material cybersecurity risks should be disclosed and adequately described as risk factors. Where cybersecurity risks and incidents that represent a material event, trend or uncertainty reasonably likely to have a material impact on the organization's operations, liquidity or financial condition it should be addressed in the MD&A. If cybersecurity risks materially affect the organizations products, services, relationships with customers or suppliers, or competitive conditions, organizations should disclose such risks in its description of business. Data breaches or other incidents can result in regulatory investigations or private actions that are material and should be discussed in the Legal Proceedings section. Cybersecurity risks and incidents that represent substantial costs in prevention or response should be included in Financial Statement Disclosures where the financial impact is material. Finally, where a cybersecurity risk or incident impairs the organization's ability to record or report information that must be disclosed, Disclosure Controls and Procedures may be ineffective and subject to disclosure.
While the SEC has not yet explicitly promulgated cybersecurity rules, securities regulators have clearly indicated that they consider cybersecurity a key issue for public companies and investors.
The SEC and Current Cybersecurity Challenges
Digital assets represent an ever-growing percentage of the total value of organizations. Organized crime and nation-state actors, often in the form of Advanced Persistent Threats, are becoming more active and more sophisticated in targeting assets that can be economically profitable. Breaches are becoming everyday events, with malicious attackers becoming the most predominant source. According to Verizon’s 2013 Data Breach Investigations Report, 92% of breaches were perpetrated by outside actors, and 75% were driven by financial motives.2 As these threats grow, many organizations are lagging behind in identifying key digital assets and ensuring that they are adequately protected.
In addition, while board members increasingly acknowledge that they must take a role in cybersecurity issues, most lack the knowledge and experience to know the appropriate role for the board in overseeing protection of digital assets.
Listed below are three areas of focus where boards and senior management can minimize cybersecurity risks to the organization include:
- Be Prepared – the Rapidly Changing Environment. Ensure that the organization has appropriate frameworks in place for mitigating cybersecurity risks. Specific areas to address include:
- Identify key digital assets that, if compromised, could cause significant damage to the organization.
- Investigate the organization’s policies and processes for protecting the identified assets and whether current controls adequately address the risk. Policies and procedures should be documented and continuously reviewed for effectiveness and revised when necessary.
- Ensure the organization is exercising diligence over third parties providing critical services, including cross-border service providers.
- Act at Market Speed – Focusing on Investor Protection. Incident Response Planning is key in responding to a cybersecurity incidents and data breaches. The organization should have in place a defined and documented process for the end to end management of security incidents and data breaches.
- Know What is Happening – Helping Thwart Cybercrime. The sophisticated capabilities of malicious adversaries, such as Advanced Persistent Threats, demand diligence at all levels of the organization. Defenses, including technical measures, policies and procedures, and training, should address risks throughout the organizations business process flow. The organization should have a framework in place to monitor and identify cybersecurity incidents and potential breaches and continuously monitor and improve.
Be Prepared – the Rapidly Changing Environment
Preparation is the most critical single aspect of complying with SEC guidance and protecting shareholder value. Organizations must identify their critical digital assets and the risks that impact them. Without understanding what assets within the organization are most valuable, it is impossible to determine whether cybersecurity resources are appropriately prioritized.
Identifying critical assets must involve senior management and board input on strategic direction and relative value of critical assets and strategic risks. For example, the board should review management’s valuation and prioritization of assets and discuss the strategic impact of identified risks. The board and senior management should ensure that the organization has instituted a documented risk management program that incorporates cybersecurity as a risk source. Cybersecurity risks that are among the most significant factors that may make an investment risky or speculative should be disclosed.
Another key area of oversight is the organization’s policies and procedures. Nearly every key business process involves the input, storage, processing and output of digital information. These key business processes should be documented and periodically reviewed and updated as necessary to ensure that critical digital assets are secure. Diligence in implementing and documenting policies and procedures can help prevent legal issues stemming from cybersecurity incidents and curtailing claims that are filed by demonstrating compliance and reasonable security practices. Independent assessments should be used as appropriate to validate internal controls against applicable regulations and industry best practices.
Third party service providers and partners are a major source of organizational risk. Critical digital assets and responsibilities are often delegated outside the organization where oversight and control is limited. Boards and senior management should ensure that the organization has implemented a program for managing third parties with access to critical digital assets. The program should identify third parties with access to critical digital assets and implement appropriate controls through contractual or other obligations to ensure that the organization’s digital assets are adequately protected. To the extent third parties are heavily relied upon for critical business processes, cybersecurity may be a significant risk factor that should be disclosed.
Acting at Market Speed – Focusing on Investor Protection
Cybersecurity incidents are inevitable for even the most diligent organizations. Information systems and business processes are too complex and change too rapidly for defenses to keep pace with cybersecurity threats. Organizations must develop response capabilities to contain and limit the effect of incidents that do occur.
Boards and senior management should ensure that the organization has a defined and documented incident response program that incorporates technical, business and legal stakeholders. The incident response program should be tested at least annually and the program should be reviewed and improved as necessary after each incident or test. Boards and senior management should be informed of significant cybersecurity incidents and breaches and ensure that appropriate remedial measures are taken to prevent similar incidents from recurring.
Speed and efficiency in responding to incidents and breaches can significantly affect the impact of the cybersecurity event on an organization. An effective incident response program can make the difference between containing a breach to a minor event and having the breach escalate into a major issue or legal claims that must be disclosed under Regulation S-K.
Know What is Happening – Helping Thwart Cybercrime
Malicious actors are rapidly increasing in sophistication and motivation. Gone are the days of teenagers in dorm rooms hacking for the challenge or notoriety. Attackers today have substantial financial or political motivation and select specific targets rather than targets of opportunity. The sophistication and skill of attackers is shown in the 2013 Verizon Data Breach Investigation Report, which found that 66% of malicious attacks operated in the organization for at least four months before being detected.3
Organizations must deploy detection and identification capabilities and diligently monitor activity within their networks. Boards and senior management should investigate the organization’s detection capabilities and whether they are appropriate relative identified risks. Independent evaluation is essential to avoid overlooking incorrect assumptions and inadvertent bias in internal reviews.
Internal monitoring leverages preparation and incident response programs to limit the potential impact of cybersecurity incidents. Malicious attacks must be detected before an incident response plan can be initiated, and earlier detection limits the damage from intrusions. Detection capabilities also indicate what threats are not being mitigated by technical controls, policies and procedures, and detected incidents should be reviewed and used as an input into the continuous improvement cycle for cybersecurity controls.