Wednesday, February 28, 2018
"Given the frequency, magnitude and cost of cybersecurity incidents, the Commission believes that it is critical that public companies take all required actions to inform investors about material cybersecurity risks and incidents in a timely fashion, including those companies that are subject to material cybersecurity risks but may not yet have been the target of a cyber-attack," the SEC wrote in its Commission Statement and Guidance on Public Company Cybersecurity Disclosures document.
"Crucial to a public company's ability to make any required disclosure of cybersecurity risks and incidents in the appropriate timeframe are disclosure controls and procedures that provide an appropriate method of discerning the impact that such matters may have on the company and its business, financial condition, and results of operations, as well as a protocol to determine the potential materiality of such risks and incidents," the SEC wrote.
Scott Clements, Chief Executive Officer at Vasco Data Security International Inc. called the SEC's policies a positive move for investors and online citizens that acknowledges the rapidly evolving nature of cybersecurity threats and increasing sophistication of attacks, which include malware, ransomware, phishing and the use of stolen credentials. He emphasized the need for a risk-based, layered approach to security, noting that too many companies rely on outdated security methods that insufficiently address the current environment.
"The overwhelming number of corporate breaches can be traced back to the use of stolen credentials or weak passwords combined with inadequate authentication methods," Clements stated. "Too many companies still rely on decades-old methods of security and this is not sufficient in today's environment. Organizations need to apply a risk-based, layered approach to security."
Clements expressed hope that the SEC's action will increase transparency of publicly-traded companies and their security practices. "Highly effective and frictionless multifactor authentication and risk analysis solutions augmented with new technologies such as facial recognition and behavioral biometrics make the job of securing information and assets remarkably economical and efficient," he added.
The SEC document noted that criminals frequently target companies involved in critical infrastructure, and that malicious attacks can lead to theft or destruction of financial assets, intellectual property and other sensitive information belonging to companies and their customers and business partners. This includes targeting companies that operate in industries responsible for critical infrastructure.
While the new SEC guidelines require companies to file periodic reports on a regular basis related to business and operations, risk factors and legal proceedings, some analysts would like to see more specific guidance on privacy protections. Willy Leichter, Vice President of Marketing at Virsec Systems Inc., a cybersecurity provider, noted the word "privacy" does not appear anywhere in the document.
While data privacy may not be in the SEC's purview, Leichter said cybersecurity incidents most commonly involve breaches of customer data and ensuing loss of privacy, confidence and customer trust. "Requiring disclosure of cyber security gaps that may not yet have been exploited is important, as it [bars] insider trading on non-public knowledge of a breach," he stated. "However, recommending 'timely' notification of breaches is far too vague. Was Equifax's months-long gap in public disclosure timely?"
Many agree that more work still needs to be done. "Ultimately, the step the Commission took with respect to cybersecurity risks and incidents should only be its first," said SEC Commissioner Kara Stein. "There is so much more we can and should do. I hope we will proceed accordingly for the good of investors, public companies, and our capital markets."
Editor's Note:
The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.