While state data breach notice laws have been around for several years now, publicly traded companies are facing a new dimension to their cyber security obligations. Recent Securities and Exchange Commission (SEC) guidance specifically calls out cyber security risks and requires publicly traded companies to consider the risk of cyber incidents under their existing disclosure obligations. The guidance is not a binding regulation, but will likely be the standard by which the SEC and certainly plaintiff’s lawyers measure a company’s compliance.

In order to determine whether disclosure of cyber security risks is required, and be able to accurately quantify and describe the risks in a disclosure, companies must obviously understand the risks themselves. This requires a comprehensive risk assessment to determine what risks exist, how they affect the likelihood of a security incident, and how severe an impact they would have on the company’s operations, reputation, legal and compliance obligations, and overall financial performance. By identifying the risks, companies gain the opportunity to mitigate those risks and obtain a better disclosure position. This also reduces the likelihood of having a cyber incident and the resulting public relations nightmare that seems almost inevitable in this age of scrutiny.

Even with regular and robust risk assessments, it’s important to remember that hindsight is always 20/20, while foresight is fuzzy at best. It’s very difficult to quantify exactly how great a risk is and how likely it is to occur. Yet after a breach occurs, it seems clear the risk was material. Companies that do not disclose cyber risks face the threat of shareholder litigation for failure to disclose should the risk materialize. This will likely lead most publicly traded companies to include a statement about cyber risk, which is made all the more difficult by the SEC’s instruction to avoid generic “boilerplate.”

Many companies will also focus more intently on remediation, including post-breach assessments and regular penetration testing, should a cyber incident occur. The guidance requires publicly traded companies to disclose material cyber incidents the company has experienced, including a description of the costs and other consequences. Companies will be keen to demonstrate their responsible handling of these incidents and show what actions they have taken to mitigate future risk. The SEC’s guidance reaffirms the importance of understanding and addressing cyber security risks, but adds an additional compliance risk to the already complex cyber security realm for publicly traded companies.

Risk assessment is certainly a basic tenet at Kroll, and we’ve worked with clients across the globe that can attest to the benefits. Have you considered how a risk assessment before, or remediation and testing after an event, would strengthen your company’s defenses?

By Francesca Wolf
Legal Counsel & Compliance Officer

Tags: cyber security, SEC, Securities and Exchange Commission

Categories: Data Security Issues.