SEC Remains Focused on Cybersecurity
After a long silence since guidance was last issued a year ago, there’s now widespread expectation that the Securities and Exchange Commission will get much more specific this year about new cybersecurity disclosures for public companies. Recent actions also signal the commission is paying close attention not just to disclosures, but to weaknesses that create cybersecurity risks at companies.
Given that data security increasingly permeates nearly every aspect of corporate operations, these developments could have a big impact.
In its February 2018 guidance, the SEC focused on the materiality of a cyber-risk or data breach. In evaluating whether a disclosure is required, it said companies should consider the range of harm—real and potential—to reputation, financial performance, and relationships with vendors and customers, as well as damage from litigation or regulatory actions.
An SEC official recently hinted that disclosures would be coming under a microscope. At a December 2018 conference of the American Institute of CPAs, Cicely LaMothe, associate director in the Division of Corporation Finance, said that cybersecurity was a topic of high interest and that the commission would likely be paying special attention to disclosures.
Meanwhile, commission actions have highlighted how lax financial controls can lead to substantial cybersecurity breaches.
In Oct. 2018, the SEC took the unusual step of publishing an investigative report detailing how nine publicly traded companies were hacked through email scams and cyberattacks. According to the report, the companies lost a combined $100 million before they became aware of the scams.
The scams were not sophisticated—some were spoofing attacks that impersonated the companies’ own executives—but the companies were vulnerable to cyber fraud because they didn’t maintain sufficient internal accounting controls pursuant to the Securities Exchange Act of 1934, the SEC said.
While none of the companies was named, the report offered information to educate other public companies on the dangers. It said updated accounting controls and better training of staff were critical to protecting against such attacks.
According to FBI data, such business email scams have caused more than $5 billion in losses since 2013, with an additional $675 million in adjusted losses in 2017. The bureau said this was the highest estimated out-of-pocket losses from any class of cyber-facilitated crime during that period.
Most recently, the SEC announced in January that it had settled with four public companies for failure to maintain adequate financial reporting controls. The announcement highlighted the fact that disclosures don’t necessarily protect companies from regulatory enforcement actions. The four had repeatedly disclosed material weaknesses in their internal controls over financial reporting.