Following a record year for data breach incidents — with eight breaches exposing over 10 million identities — the U.S. Securities and Exchange Commission (SEC) is closely scrutinizing how those breaches were handled. Multiple recently-opened SEC investigations are focusing on the data security processes companies had in place when the breaches occurred and how much they disclosed — or failed to disclose — to investors about them.
Such investigatory actions are new for the SEC, which has previously focused on guiding public companies on how to defend against cyberthreats and disclose those risks to their investors. Now, however, the SEC is looking into events related to the data breaches, including how they occurred, the consequences, how each organization responded and — where asset values may have been affected by a breach — closely reviewing companies’ internal controls. Enforcement action would not be unwarranted if the agency finds company disclosures were incomplete or misleading.
One potential roadblock for regulators is that, while public companies are required to tell investors of any material events that may affect the investors’ decision to buy or sell shares, there is no explicit requirement that they disclose cyberattacks. Previous SEC guidance addressed this issue by urging companies to disclose any material information on cyberattacks or risks, such as breaches that lead to stolen intellectual property or a significant increase in the amount spent to defend company information. However, "materiality" is often a matter of interpretation that varies according to the situation and parties involved. Consequently, whether companies should disclose such information, and what type of information should be disclosed remains a topic of debate among corporate attorneys, regulators and other interested parties.
Many companies avoid disclosing breaches for fear of lawsuits. However, according to a recent study by security firm HBGary Inc., more than 70% of investors are interested in receiving more information about company cybersecurity practices. This pressure, together with an increase in the volume and frequency of cyberattacks and heightened regulatory scrutiny, may force many companies to change their disclosure policies if they wish to remain competitive and retain the public's trust.
Whatever a company opts to disclose, a strong data and information security program is the best defense against the variety of threats posed to personal and business information. Data breaches can result in significant financial repercussions and damage to customer loyalty and brand reputation, making policies and processes to manage and address data security risks crucial in today's business environment.