Published in Harvard Business Review, this article argues that regulators have started to take cybersecurity seriously. The “Security Exchange Commission”, the US regulator responsible for enforcing a law against market manipulation, has recently imposed two big fines related to cybersecurity.

Summary:

  • The US Security Exchange Commission (SEC) has recently imposed two fines: A $1m fine against British publishing company Pearson following a data breach of student records and a $500,000 fine against a US real estate company following a data breach that included social security numbers.
  • As such, the SEC now considers cybersecurity risk as an existential business risk.
  • Companies in the US are required to properly disclose cyber risk factors in SEC filings, along with other risks such as natural disasters, supply chain issues, or trade wars.
  • Having to disclose these risks is not new. But historically, there have been very few regulatory repercussions for companies that suffered from cyberattacks. That seems to be changing.
  • So, what can companies do to avoid these regulatory fines? The article proposes five steps.
    1. Create a disclosure committee composed of director and senior director-level employees.
    2. Don’t wait too long to disclose
    3. Understand your risk by building visibility into your assets
    4. Regularly conduct forensic assessments of the company’s cybersecurity systems and all known and potential internal and external threats
    5. Be prepared to disclose cybersecurity issues such as vulnerabilities, breaches and other cyber incidents before the full scope of the incident is understood

 

Why does this matter for businesses?

  • Regulators across jurisdictions are tightening their grip on how companies handle the disclosures of cyberattacks, expecting more transparency.
  • This is not necessarily a bad thing. Complying with regulations will enable them to limit harm from cyberattacks, minimising risk for investors.

 

Read the full article