The SEC continues to assess its recent cybersecurity breach as issuers closely monitor the agency to determine its next steps – including the herculean task of hoisting a defensive wall in the face of the growing concerns and risks tied to escalating incidents of cybercrime that impact both the investing market and the boardroom.
The SEC recently came forward with a statement disclosing personal information was part of the EDGAR breach. “The names, dates of birth and Social Security numbers of two individuals were exposed,” SEC Chairman Jay Clayton said in a statement.
While no one is looking to the SEC to put an end to cybersecurity breaches altogether, the exponentially increasing likelihood of a breach increases the likelihood of more stringent disclosure requirements. What are possible steps that the SEC could undertake in efforts to bring greater transparency around cybersecurity reporting?
The SEC could deem cybersecurity events as an extraordinary event. Currently, Form 8-K is the workhorse for reporting on extraordinary events within a heightened timeframe. It could also be argued that a significant cyberbreach is already required to be included under Item 8.01 of Form 8-K. This field stipulates that a company should “voluntarily disclose any information that is not otherwise required to be reported but which it believes its securityholders would find important.”
If the SEC were to amend Regulation 8-K to introduce a new reporting item for cybersecurity, it could tackle what is likely the most vexing issue – the actual timeframe around when an issuer reports on a material event linked to cybersecurity.
While more in-depth reporting and assessment would follow in 10-Q and 10-K reports, investors would have far more timely insight into a cyberbreach occurrence if Form 8-K were used in connection to the existing cybersecurity challenges.
Over the past few years, the SEC has stayed close (but not too close) to the topic of cybersecurity. The SEC issued fairly comprehensive interpretive guidance back in October 2011, six years ago. In that time, we’ve seen damaging, widespread cybersecurity breaches with no end in sight.
Recent events not only highlight the ongoing concerns over how long it takes issuers to report on breaches but also showcases the near- and long-term negative impact the event has on stock performance and investor returns. One recent Deloitte study shows that a severe breach can cause an average decline of 1.8% of companies’ stock prices on a permanent basis.
The undeniable trend of sliding share prices post-breach strengthens the position that this can be viewed as an extraordinary event that justifies timely reporting. While the road to implementing safeguards around cybersecurity initiatives will be long fraught with new questions and challenges, a first step for the SEC could be around developing a more heightened sense of transparency and timing to assuage the growing concerns of investors and the general market alike.