Publicly traded companies must start disclosing more “actionable” information to shareholders and regulators around their cyber risks and vulnerabilities.
Authors of a new report argue that in the wake of the 2020 SolarWinds breach and increased regulatory fervor on Capitol Hill and the Securities and Exchange Commission, public companies “should be explaining to investors the specific risks they face from cybersecurity threats, including operational disruption, intellectual property theft, loss of sensitive client data, and fraud caused by business email compromises.”
In the legal realm, law firms who work on software supply chain breach cases are increasingly scrutinizing what a business knew or should have known about their software and hardware suppliers, as well as exposure to known risky vendors, when discussing issues like liability. At the SEC, internal guidance to staff around disclosure obligations for publicly traded companies calls for investors to get the same perspective around technology risks and their impact on business operations as management. The details should be “specifically tailored to a company’s unique facts and circumstances” and avoid vague or general language about experiencing “a cybersecurity incident” when they do suffer a breach.
This can include things like the company’s overall security philosophy, the investments they’re making in different security tools and services, an inventory of primary and secondary vendors they rely on and an awareness of how that reliance exposes their customer data to additional risks.
The report was produced by SecurityScorecard, the National Association of Corporate Directors, the Cyber Threat Alliance, and private tech companies Diligent and IHS Markit.
Many executives themselves might not fully understand their own risks. Cybersecurity reporting to boards of directors can often be overly technical, lacking a connection to clear business goals bereft of meaningful metrics to judge success or failure. A 2019 study from McKinsey on cybersecurity in the boardroom found widespread confusion and dissatisfaction from executives about how digital threats are reported and explained.
“Most reporting fails to convey the implications of risk levels for business processes,” the study said. “Board members find these reports off-putting— poorly written and overloaded with acronyms and technical shorthand. They consequently struggle to get a sense of the overall risk status of the organization.”
The Security Scorecard report cites some evidence that the SEC is taking action to prosecute some worst offenders who “under disclose” around cyber threats, such as a $35 million settlement with Altaba over the Yahoo! data breach. Members of Congress have proposed legislation tightening up reporting requirements and the Cyberspace Solarium Commission have called for reforms to the Sarbanes-Oxley Act to force public companies to reveal more about their cybersecurity posture.
However, in practice the vast majority companies that suffer data breaches tend to face few consequences from authorities, regulators and even their shareholders. CEOs and other top executives are rarely fired for cybersecurity failures that lead to a breach and for every big money settlement the SEC pursues, there are hundreds of companies that evade scrutiny altogether. Studies examining the impact of data breaches on the stock price of affected companies show that while many may take a short term hit, the long-term effects are negligible for all but the most devastating incidents.
While the Security Scorecard report does call for more transparency on the part of companies, it also argues that important progress has been made in recent years, and businesses are at least talking more about the issue. However, there is a “clear opportunity” for improved oversight of cybersecurity and supply chain issues by improving internal reporting mechanisms and conducting more regular briefings to high level executives that can be captured in SEC disclosures to the broader investing public.