Key Takeaways from the SEC’s Cybersecurity Guidance

by Sarah Harvey / March 7th, 2019

In February 2018, the US Securities and Exchange Commission (SEC) affirmed something we know to be true: as organizations rely more and more on technology, the frequency and complexity of cybersecurity threats continue to increase. The SEC issued interpretive cybersecurity guidance, which builds upon the Division of Corporation Finance’s guidance from 2011, for public companies to follow when dealing with cybersecurity incidents and risks.

This cybersecurity guidance communicates several major points to the public, including guidance for disclosing cybersecurity incidents, the prevention of insider trading, and developing comprehensive policies and procedures.

The Need for Cybersecurity Risk Management

Organizations, no matter their size or industry, must be aware of cybersecurity risks and have a plan to mitigate them. It’s reassuring to hear that the SEC recognizes just how real cybersecurity risks and threats are. The 2018 cybersecurity guidance states, “…the investing public and the US economy depend on the security and reliability of information and communications technology, systems, and networks.” Going even further, it makes this parallel, “As companies’ exposure to and reliance on networked systems and the Internet have increased, the attendant risks and frequency of cybersecurity incidents also have increased. Today, the importance of data management and technology to business is analogous to the importance of electricity and other forms of power in the past century.”

At KirkpatrickPrice, we often communicate that the cost of cybersecurity risk management is a smart investment, rather than spending that money on remediation from cybersecurity incidents. The SEC’s 2018 cybersecurity guidance does a great job of outlining just how much the recovery from cybersecurity incidents can cost. If you’re hesitant to undergo audits, penetration testing, or begin cybersecurity risk management at your organization, consider the following recovery factors from the SEC:

Increased cybersecurity protection cost
Lost revenue
Remediation costs
Litigation and legal risks
Increase insurance premiums
Reputational damage
Damage to the company’s competitiveness

Disclosures and the Security Paradox

How much should companies disclose about their cybersecurity incidents or their cybersecurity risk management efforts? That’s the ultimate security paradox – how much do you share, and how much do you keep internal? Many organizations adopt the approach of refusing to release any information about their cybersecurity practices, even during an audit or penetration testing. They tend to think, “By not sharing information, we’ll be more secure. Why would we give away information about our security?” We believe that the more you isolate yourself, the less secure you are.

The SEC’s cybersecurity guidance addresses this very subject and says, “This guidance is not intended to suggest that a company should make detailed disclosures that could compromise its cybersecurity efforts – for example, providing a ‘roadmap’ for those who seek to penetrate a company’s security protections.” The expectation is that companies disclose cybersecurity risks and incidents that would be significant to investors, like those that have financial, legal, or reputational consequences.

SEC Guidance on Policies and Procedures

Policies and procedures are vital to any company’s cybersecurity risk management program. They are so important, in fact, that every major framework has at least one entire section devoted completely to policies and procedures. The SEC’s 2018 cybersecurity guidance is no different. The guidance encourages comprehensive policies and procedures related to cybersecurity and overall compliance, but there is a heavy emphasis on disclosure controls. The guidance states, “Companies should assess whether they have sufficient disclosure controls and procedures in place to ensure that relevant information about cybersecurity risks and incidents is processed and reported to the appropriate personnel, including up the corporate ladder, to enable senior management to make disclosure decisions and certifications and to facilitate policies and procedures designed to prohibit directors, officers, and other corporate insiders from trading on the basis of material nonpublic information about cybersecurity risks and incidents.”

In September 2018, the SEC charged Voya Financial Advisors (VFA) with failure in cybersecurity policies and procedures that led to a hack which compromised their customers’ personal data. The SEC reported that the attackers used social engineering tricks to get VFA’s contractors’ passwords reset, which gave the attackers access to the personal information of 5,600 customers. There were multiple points where VFA failed to follow their policies and procedures, but from the moment employees fell for the social engineering scam, they were failing to follow their policies and procedures regarding contractors.

Trying to ensure that your company is correctly interpreting the SEC’s 2018 cybersecurity guidance? Want some help developing comprehensive policies and procedures? Let’s partner together!