Published in Harvard Business Review, this article argues that regulators have started to take cybersecurity seriously. The “Security Exchange Commission”, the US regulator responsible for enforcing a law against market manipulation, has recently imposed two big fines related to cybersecurity.
Summary:
- The US Security Exchange Commission (SEC) has recently imposed two fines: A $1m fine against British publishing company Pearson following a data breach of student records and a $500,000 fine against a US real estate company following a data breach that included social security numbers.
- As such, the SEC now considers cybersecurity risk as an existential business risk.
- Companies in the US are required to properly disclose cyber risk factors in SEC filings, along with other risks such as natural disasters, supply chain issues, or trade wars.
- Having to disclose these risks is not new. But historically, there have been very few regulatory repercussions for companies that suffered from cyberattacks. That seems to be changing.
- So, what can companies do to avoid these regulatory fines? The article proposes five steps.
- Create a disclosure committee composed of director and senior director-level employees.
- Don’t wait too long to disclose
- Understand your risk by building visibility into your assets
- Regularly conduct forensic assessments of the company’s cybersecurity systems and all known and potential internal and external threats
- Be prepared to disclose cybersecurity issues such as vulnerabilities, breaches and other cyber incidents before the full scope of the incident is understood
Why does this matter for businesses?
- Regulators across jurisdictions are tightening their grip on how companies handle the disclosures of cyberattacks, expecting more transparency.
- This is not necessarily a bad thing. Complying with regulations will enable them to limit harm from cyberattacks, minimising risk for investors.
