Earlier this year, the Securities and Exchange Commission (“SEC”) issued a Statement and Guidance on Cybersecurity Disclosures (“Guidance”) and an Investigative Report (“Report”) in order to assist public companies in preparing disclosures about cybersecurity risks and incidents.
As the year ends, and companies begin thinking about their Annual Reports and cybersecurity programs, we thought it would be helpful to look into the Guidance and the Report to see what it means for companies and their Boards. This post will also examine briefly cyber insurance and why companies might want to consider exploring a policy.
The Guidance, issued in February of this year, affirmed the SEC’s prior 2011 cybersecurity guidance and expanded it in two ways. First, the SEC stressed the importance of maintaining comprehensive policies and procedures related to cybersecurity risks and incidents.
Second, it reminded companies and their directors, officers, and insiders of the applicable insider trading risk, and “also of their obligation to refrain from making selective disclosures of material nonpublic information about cybersecurity risks or incidents.” And last month, the SEC issued the Report, which reviewed business email compromises that affected nine companies. The SEC chose no enforcement actions, but the companies collectively lost hundreds of millions of dollars.
But, how do the Guidance and Report impact companies, and what active steps should companies be taking? After speaking to two experts in the field, Jamie Evans, a corporate partner and Co-chair of the Securities and Corporate Finance practice at Fenwick & West LLP, and Lee Dutra, Partner, Ernst & Young LLP and the EY San Francisco Office Managing Partner, HackerOne suggests that companies and their Boards focus on three areas:*
Systems and Controls
Companies should have the systems in place to identify incidents before they happen, and the ability to determine the severity and scope of those incidents. Importantly, companies need to think about the remediation processes and resources available to address those incidents.
The basics of incident discovery, response and management are the same for all companies, but the execution and details are unique for each company and each cybersecurity plan should be customized in order to reduce risk, according to Mr. Evans. He sees very few of his clients implement cybersecurity themselves, as what typically is a good practice is to layer in recommendations from external resources.
Further, companies should consider re-evaluating where cybersecurity risk should sit in an organization. Previously, it was a knee-jerk reaction that IT or a CISO should own it, according to Mr. Dutra. But now there’s an acknowledgment that cybersecurity is a broader risk as it involves product security, and reputational or brand risk as well. Given this expanded view, companies need to rethink how cyber risk should be organized internally because it affects so many functions.
Ownership of cybersecurity risk and reporting structures should be re-evaluated to make sure information can be shared and distributed up the responsible parties.
In order to prevent the business email compromises discussed in the Report – fake emails from executives and fake emails from vendors -- the SEC advised that companies tighten its internal accounting controls.
In order to prevent such compromises in the future, each of the issuers enhanced their payment authorization procedures, verification requirements for vendor information changes, account reconciliation procedures and outgoing payment notification processes. The issuers also enhanced their training of responsible personnel about relevant threats. HackerOne also believes that continuous testing by hacker powered security and services could have helped the companies avoid both of these breaches.
Management should be engaging the Board on cybersecurity issues as it relates to corporate governance. Cybersecurity should be on the agenda of every public company, and even for private companies. For tech companies, in particular, it would be irresponsible for a Board to not be considering cyber risk, according to Mr. Evans. He encourages companies to bring the experts into the Boardroom to discuss the security posture and identify the risks. Besides being good corporate hygiene, at a minimum, doing so helps a company build a record of its serious consideration of cybersecurity.
Mr. Dutra observes that companies are now thinking about whether the entire Board, as opposed to solely the audit committee, should be responsible. Audit committees have historically been very engaged in cybersecurity because that’s where risk and liability are evaluated.
However, many board members, whether they’re on the audit committee or not, attend educational programs and directors colleges, where cybersecurity is now actively discussed, so they attend Board meetings expecting management to present information on cybersecurity. And because cybersecurity risk is now considered a corporate risk, then the Board should be updated at every meeting. Therefore, management should go into Board meetings ready to talk to the entire Board about cybersecurity posture.
The following topics should be covered at a Board meeting:
- What systems, procedures and policies are in place to prevent an unauthorized breach, and what updates are needed given new risks;
- What types of vulnerabilities were discovered in the last quarter (or since the last meeting), how were they discovered, and how were they resolved;
- Consistent discussion about what would be considered a material breach or vulnerability to warrant disclosure (see below section on Materiality);
- What new standards, rules, or regulations have been passed that affect cybersecurity;
- What new litigation or enforcement actions should the Board be aware of; and
- The status of implementing existing frameworks or standards.
Companies need to determine what to say, and when, if an incident occurs. The SEC expects “companies to disclose cybersecurity risks and incidents that are material to investors, including the concomitant financial, legal, or reputational consequences.” Materiality, according to the SEC, depends on the nature, extent and potential magnitude of the compromised information, and also depends on the range of harm that the incidents could cause. But Mr. Evans acknowledges, that determining materiality can be a difficult decision and often requires considerable subjective judgments. Investigations can take a while and it’s easy to view things in hindsight in a way that doesn’t reflect the real-time decision-making that needs to occur. And the SEC expressly states that “an ongoing internal or external investigation -- which often can be lengthy-- would not on its own provide a basis for avoiding disclosures of a material cybersecurity incident.” Therefore, disclosure controls and incident procedures should be in place to ensure that management knows about the cybersecurity incident so they have the time and knowledge to determine with the Board and their legal advisors whether the incident should be disclosed in a public filing. Being proactive and preemptive to incidents that may require public disclosure is the best practice.
Cyber insurance review: What to consider
The end of the year is also a good time to review insurance policies, specifically cyber insurance. We spoke to Elissa Doroff, Vice President of Underwriting and Product Manager for Technology and Cyber Liability at AXA XL Insurance for guidance. Cyber insurance is important because a breach is inevitable, and cyber insurance acts to a certain extent as a transfer of risk, according to Ms. Doroff. However, it’s hard to keep up with the risks and exposures because they are constantly increasing, and past data breaches do not necessarily predict future exposures. Board of Directors should consider exploring cyber insurance, and the best way to begin is to speak with a cyber insurance broker.
In terms of premiums, a cyber insurance underwriter will evaluate the risk the same way a company should be evaluating its security posture. The boards of directors should be asking its CTO/CISO’s questions about security posture, as they are similar to questions that an underwriter will ask about. An underwriter wants to understand an insured’s financial position, its exposures, risk of loss and compliance, and how data is classified and stored.
They will also want to know how cybersecurity is managed, how employees are trained, how important cybersecurity is to management and what is the predicted biggest loss. What industry an insured is in, and how regulated it is, will also affect premiums.
Unfortunately, there’s no safe harbor for cybersecurity breaches, or an SEC investigation or enforcement action. It’s not how much a company spends on security or insurance, as no amount of money can protect you completely from vulnerabilities. But companies and their Boards can take the time now to strengthen its security posture by completing governance reviews, re-assessing their cybersecurity systems and procedures, re-educating them on new risks, and exploring cyber insurance.
*Nothing in this post constitutes legal or formal audit advice, and we encourage companies to seek additional guidance from their own legal counsel and auditors.