SEC: ‘Critical’ for Companies to Disclose Cybersecurity Incidents
The U.S. Securities and Exchange Commission (SEC) is encouraging public companies to inform key stakeholders about cybersecurity incidents in a timely fashion.
Cybersecurity incidents are increasing in cost, frequency and magnitude. As such, it is “critical” for public companies to disclose cybersecurity incidents in an appropriate time frame, the SEC noted in its guidance on cybersecurity disclosures issued this week.
How Can Public Companies Address Cybersecurity Incidents?
Effective cybersecurity incident disclosure controls and procedures are essential, and public companies must employ directors, officers and other leaders who are responsible for developing and overseeing these measures, according to the SEC. In addition, business leaders must stay up to date about cyber risks that their respective companies have faced or likely will face.
Public businesses also should implement policies and procedures to prevent corporate insiders from taking advantage of the period between a company’s discovery of a cybersecurity incident and public disclosure of the incident, the SEC stated. Furthermore, if corporate insiders violate these policies and procedures, they should be punished accordingly. These SEC recommendations come after three Equifax senior executives sold company shares worth nearly $1.8 million just days before the company suffered a data breach that impacted approximately 143 million U.S. consumers, Bloomberg reported.
Ultimately, the SEC wants to provide a “roadmap” to help public companies enhance their cybersecurity policies and procedures, the commission indicated. Public companies are not expected to disclose technical information about their cybersecurity systems; instead, the SEC wants public companies to disclose cybersecurity incidents that are material to investors, along with the financial, legal or reputational consequences associated with them.
What Does the SEC Guidance Mean for Public Companies?
Although all public companies are tasked with identifying and addressing cyberattacks, some businesses manage cybersecurity incidents “while being cloaked,” Bill Conner, CEO of network security solutions company SonicWall, told MSSP Alert. Now, the SEC is taking action against these companies, Conner said, to protect business stakeholders against cybersecurity incidents.
The SEC’s cybersecurity guidelines on disclosures and insider trading rules are “a solid step in the right direction,” Conner noted. However, additional work is required to foster communication between public companies and their stakeholders about cybersecurity incidents.
MSSPs could play an important role in educating public companies and their key stakeholders about cybersecurity dangers. If MSSPs allocate time and resources to teach businesses about malware, ransomware and other cyber risks, these companies can empower their stakeholders to detect and resolve cyberattacks faster than ever before.