SEC Guidance Requires Cybersecurity Risks Must Be Disclosed

  • Security

The United State Securities and Exchange Commission (SEC) released a new guidance on cybersecurity last month, stating that cybersecurity risks must now be disclosed. In the past, the SEC has required publicly traded companies to disclose material risks and events information that would be pertinent for a person to know before investing in the company.

But before this new guidance, it was not clearly stated that cybersecurity information was to be included in this information. According to an article in the Washington Post, This SEC guidance is critical because it allows market participants to weigh cybersecurity as an investment factor. It is generally understood that disclosing material breaches such as the significant loss of a companys intellectual property will affect the value of a company, because existing or potential investors will reconsider their investment decisions. Without detailed public information about these events, investors are unaware of the risks to which companies are exposed. And without pressure from investors, corporate officers are less likely to change their risk-management practices.

So now, a company must be upfront about any problems they have had as a result of poor fraud prevention tools.

According to the guidance, failing fraud prevention systems, which result in cybersecurity issues, can result in:

  • Remediation costs that may include liability for stolen assets or information and repairing system damage that may have been caused. Remediation costs may also include incentives offered to customers or other business partners in an effort to maintain the business relationships after an attack;
  • Increased cybersecurity protection costs that may include organizational changes, deploying additional personnel and protection technologies, training employees, and engaging third party experts and consultants;
  • Lost revenues resulting from unauthorized use of proprietary information or the failure to retain or attract customers following an attack;
  • Litigation; and
  • Reputational damage adversely affecting customer or investor confidence.