Compliance and technology executives, we need to talk. Or, more accurately, you need to talk more often – to each other.
In the last 18 months, the Securities and Exchange Commission sanctioned three companies for making misleading disclosures about cybersecurity breaches those companies suffered. In each instance, at least some employees at the company knew the true extent of the breach, but those details weren’t passed along to the teams responsible for compiling the company’s quarterly SEC filings.
The result: SEC filings that gave investors an erroneous sense of the company’s cybersecurity risks. The disclosures either understated the severity of the incident; or framed the incident as a hypothetical threat rather than as something that had actually happened.
Those are failures of internal disclosure processes, and the SEC is not taking kindly to them. The monetary penalties imposed on the offending companies have grown progressively larger, from $488,000 in mid-2021 to $3 million in an enforcement action announced just this month. The heat is only going to get worse, too, since the SEC is likely to adopt even more stringent rules about disclosing cybersecurity incidents later this year.
So how should compliance officers and CISOs approach this enforcement risk? What practices and processes can help with better communication?
Understand the disclosure risk
Federal securities law requires that financial statements disclose all material issues and risks to investors. That means companies need disclosure controls and procedures to capture information about those material issues, and then convey that information completely and accurately to investors.
Companies have spent the last 20 years developing effective disclosure controls and procedures for financial items, where accounting and SEC reporting teams work hand-in-glove to confirm every detail that should go into a filing.
The newer, more difficult challenge is to build a similar set of controls and procedures for non-financial issues – including data breaches, ransomware attacks, or other cybersecurity events.
This can be hard for several reasons. First, cybersecurity teams aren’t as familiar with disclosure obligations as corporate finance teams usually are. Second, the controls governing financial reporting are well-established, and much more uniform from one company to the next. Cybersecurity practices, on the other hand, evolve all the time; and can differ radically even among companies of similar size or industries.
Hence you can end up with IT teams discovering a breach and not knowing they should report it up the chain of command; or they do report the breach, then discover more information about it but don’t report those new details, believing that they’d already done their duty.
For example, in the SEC’s most recent enforcement action, the company’s IT team discovered a breach in May. By early July, the company disclosed the breach publicly and promised customers that no sensitive data was at risk. By late July, however, the IT team discovered that personal customer data in fact had been breached.
What happened next? The SEC’s settlement order says it all:
Although the company’s personnel were aware of the unauthorized access and exfiltration of donor bank account numbers and Social Security numbers by the end of July 2020, the personnel with this information about the broader scope of the impacted data did not communicate this to the senior management responsible for disclosures, and the company did not have policies or procedures in place designed to ensure they do so.
That’s the real issue for CISOs and compliance officers to watch for. Even if you have solid controls and procedures to report information out, from the external reporting team to the 10-Q; you also need controls and procedures that report information up, from other parts of the enterprise to those folks who compile the SEC filings.
How to build a better process
Most companies have some sort of in-house disclosure committee to review what should go into the quarterly filings. Start there.
The CISO should already be a member of that committee, and they should be fully briefed by the legal or compliance team about what data needs to be disclosed when cyber incidents happen. Then the CISO needs to assure that controls and processes exist within the IT security function to capture that information about cyber incidents, and then relay it to the external reporting teams.
Critically, those controls and processes need to capture and relay that information even when the situation has changed – for example, when you realize the breach is worse than first understood, or that more data was stolen than believed.
That’s the risk of relying on manual processes for this work. Too often, people might misunderstand their reporting duties, or record a critical piece of information improperly. For example, you might suffer a “fat finger error” where the employee presses the wrong key and records a high-priority incident as low priority – that actually happened in one of the incidents mentioned above. So the more you can automate this monitoring, capturing and relaying – the better.
Also remember that the SEC has proposed even more disclosure of cybersecurity incidents, which companies will need to file more quickly. Those proposed new rules haven’t been adopted yet, but they’re likely to come soon. So another part of your disclosure effort might be to map your disclosure controls to those needs.
Clearly the SEC is thinking a lot about how companies should keep investors informed about the cybersecurity incidents you suffer. Your disclosure policies and procedures will need to keep pace with that heightened attention.
Otherwise your company might end up keeping pace with the SEC’s monetary penalties for poor cybersecurity disclosure, and they’re going up too.
To learn more about how NAVEX can help your business automate cybersecurity processes and maintain compliance with relevant regulations: