SEC Investigations Spur Debate over "Materiality" of Cyberattacks

Following a record year for data breach incidents — with eight breaches exposing over 10 million identities — the U.S. Securities and Exchange Commission (SEC) is closely scrutinizing how those breaches were handled. Multiple recently-opened SEC investigations are focusing on the data security processes companies had in place when the breaches occurred and how much they disclosed — or failed to disclose — to investors about them.

Such investigatory actions are new for the SEC, which has previously focused on guiding public companies on how to defend against cyberthreats and disclose those risks to their investors. Now, however, the SEC is looking into events related to the data breaches, including how they occurred, the consequences, how each organization responded and — where asset values may have been affected by a breach — closely reviewing companies’ internal controls. Enforcement action would not be unwarranted if the agency finds company disclosures were incomplete or misleading.

One potential roadblock for regulators is that, while public companies are required to tell investors of any material events that may affect the investors’ decision to buy or sell shares, there is no explicit requirement that they disclose cyberattacks. Previous SEC guidance addressed this issue by urging companies to disclose any material information on cyberattacks or risks, such as breaches that lead to stolen intellectual property or a significant increase in the amount spent to defend company information. However, "materiality" is often a matter of interpretation that varies according to the situation and parties involved. Consequently, whether companies should disclose such information, and what type of information should be disclosed remains a topic of debate among corporate attorneys, regulators and other interested parties.

Many companies avoid disclosing breaches for fear of lawsuits. However, according to a recent study by security firm HBGary Inc., more than 70% of investors are interested in receiving more information about company cybersecurity practices. This pressure, together with an increase in the volume and frequency of cyberattacks and heightened regulatory scrutiny, may force many companies to change their disclosure policies if they wish to remain competitive and retain the public's trust.

Whatever a company opts to disclose, a strong data and information security program is the best defense against the variety of threats posed to personal and business information. Data breaches can result in significant financial repercussions and damage to customer loyalty and brand reputation, making policies and processes to manage and address data security risks crucial in today's business environment.

[View source.]

 

Topics:  Cybersecurity, Data Breach, Disclosure, Disclosure Requirements, Internal Controls, Investigations, Investors, Materiality, Publicly-Traded Companies, SEC

Published In: General Business Updates, Privacy Updates, Science, Computers & Technology Updates, Securities Updates

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© WeComply, a Thomson Reuters business | Attorney Advertising

Don't miss a thing! Build a custom news brief:

Read fresh new writing on compliance, cybersecurity, Dodd-Frank, whistleblowers, social media, hiring & firing, patent reform, the NLRB, Obamacare, the SEC…

…or whatever matters the most to you. Follow authors, firms, and topics on JD Supra.

Create your news brief now - it's free and easy »