The U.S. Securities and Exchange Commission (SEC) has 500 million new reasons to examine the rules on when companies must disclose cyber risks and attacks.
That’s the number of accounts that Yahoo said were hacked in what’s being called the largest data breach ever. The company on Sept. 22 blamed a “state-sponsored actor” for the theft of names, email addresses, telephone numbers, dates of birth and encrypted passwords.
{mosads}While Target, the U.S. Office of Personnal Management and seemingly countless other high-profile attacks have inflamed internet security fears in recent years, the unprecedented size of the Yahoo breach and the fact that it took the company two years to disclose it is drawing unusual heat in Washington.
Six Democratic senators — Patrick Leahy (Vt.), Al Franken (Minn.), Elizabeth Warren (Mass.), Richard Blumenthal (Conn.), Ron Wyden (Ore.) and Edward Markey (Mass.) — signed a letter to Yahoo CEO Marissa Mayer asking what did Yahoo know and when did it know it and what is the company doing to prevent future breaches.
The letter came a day after Sen. Mark Warner (D-Va.) urged SEC Chairwoman Mary Jo White “to investigate whether Yahoo and its senior executives fulfilled their obligations to keep investors and the public informed, and whether the company made complete and accurate representations about the security of its IT [information technology] systems.
With all this attention on Capitol Hill, the Yahoo case may represent a tipping point in stepped-up action by the SEC to ensure publicly traded companies properly disclose cyber risks and incidents to their shareholders.
Financial losses from cyber crime can be huge, including money stolen, cost of intellectual property taken, recovery cost of repairing or replacing damaged networks and equipment, regulatory fines, litigation costs, reputational harm, reduced competitiveness and failed expansion in emerging markets. Juniper Research has estimated that the cost of data breaches will quadruple to $2.1 trillion globally by 2019.
The SEC saw the threat coming and in 2011 released guidance describing companies’ legal obligations in cybersecurity. This guidance, which marked its fifth anniversary on Oct. 11, instructs public companies to disclose hacking incidents to shareholders that could have a material adverse effect on the business. Though written by regulators, the guidance represents a shift toward a market-based approach to cybersecurity, where companies can focus on protecting themselves without prescriptive regulations while being held accountable by their shareholders.
But confusion about what constitutes a material cyber event has led to shortcomings and inconsistency in how businesses report on their cyber health.
And that leaves investors unaware of critical cyber-related risks or incidents.
Some businesses are not aware that cyber incidents are occurring. Though corporate spending on cybersecurity technologies continues to rise, many companies still lack the ability to detect an attack in real time and respond appropriately.
Other companies do not have the accounting processes in place to perform damage assessments to determine the short- and long-term impact of data theft on revenue and profitability.
There is inconsistent understanding and interpretation of the material cyber risk and incident disclosure rules among corporate lawyers, with some using artificially high thresholds for materiality.
When information is presented to investors, it’s not terribly useful. Disclosures tend to be boilerplate, vague and inaccurate. The information that would be truly relevant for investors — descriptions of cyber risk management practices, internal oversight by senior executives and board members, as well as quantitative information about cyber incidents and their real or expected financial impact — is rarely reported.
Investors can and should demand greater transparency, just as they have done in other areas of importance. In fact, many of the world’s largest institutional investors are conducting direct engagements with their investment portfolios on cybersecurity.
Here are a few steps that the SEC can take to help:
- Create an education campaign to raise awareness of the existing disclosure laws, including disclosure obligations and investors’ rights to obtain information.
- Build on the 2011 guidelines to create consistency in material risk and incident reporting. Working with key stakeholders, the SEC can create a consistent and standard reporting structure for registrants to disclose material information about cybersecurity.
- Ask the private-sector Financial Accounting Standards Board (FASB) to develop recommendations with respect to cybersecurity accounting issues.
- Enforce existing disclosure laws.
- Consider issuing additional guidelines. Though I believe enhancing awareness of the guidelines is the logical first step, additional guidance may ultimately be necessary to improve the quality and quantity of material risk and incident disclosure.
Because of its massive size, the outrage on Capitol Hill and the attention from the investor community, the Yahoo breach presents an ideal opportunity for the SEC to take a more active role in protecting shareholders.
Olcott is vice president of business development at BitSight, which provides companies with objective, evidence-based security ratings. He has previously worked as legal adviser to the Senate Commerce, Science and Transportation Committee on cybersecurity and staff director for the House Homeland Security Committee’s Subcommittee on Emerging Threats, Cybersecurity, Science and Technology.
The views expressed by contributors are their own and not the views of The Hill.