Search the Site

Issuers Must Disclose ‘Extraordinary’ Cybersecurity Incidents

Issuers Must Disclose ‘Extraordinary’ Cybersecurity Incidents

The SEC continues to assess its recent cybersecurity breach as issuers closely monitor the agency to determine its next steps –  including the herculean task of hoisting a defensive wall in the face of the growing concerns and risks tied to escalating incidents of cybercrime that impact both the investing market and the boardroom.

The SEC recently came forward with a statement disclosing personal information was part of the EDGAR breach. “The names, dates of birth and Social Security numbers of two individuals were exposed,” SEC Chairman Jay Clayton said in a statement.

While no one is looking to the SEC to put an end to cybersecurity breaches altogether, the exponentially increasing likelihood of a breach increases the likelihood of more stringent disclosure requirements. What are possible steps that the SEC could undertake in efforts to bring greater transparency around cybersecurity reporting?

The SEC could deem cybersecurity events as an extraordinary event. Currently, Form 8-K is the workhorse for reporting on extraordinary events within a heightened timeframe. It could also be argued that a significant cyberbreach is already required to be included under Item 8.01 of Form 8-K. This field stipulates that a company should “voluntarily disclose any information that is not otherwise required to be reported but which it believes its securityholders would find important.”

If the SEC were to amend Regulation 8-K to introduce a new reporting item for cybersecurity, it could tackle what is likely the most vexing issue – the actual timeframe around when an issuer reports on a material event linked to cybersecurity.

While more in-depth reporting and assessment would follow in 10-Q and 10-K reports, investors would have far more timely insight into a cyberbreach occurrence if Form 8-K were used in connection to the existing cybersecurity challenges.

Over the past few years, the SEC has stayed close (but not too close) to the topic of cybersecurity. The SEC issued fairly comprehensive interpretive guidance back in October 2011, six years ago. In that time, we’ve seen damaging, widespread cybersecurity breaches with no end in sight.

Recent events not only highlight the ongoing concerns over how long it takes issuers to report on breaches but also showcases the near- and long-term negative impact the event has on stock performance and investor returns. One recent Deloitte study shows that a severe breach can cause an average decline of 1.8% of companies’ stock prices on a permanent basis.

The undeniable trend of sliding share prices post-breach strengthens the position that this can be viewed as an extraordinary event that justifies timely reporting. While the road to implementing safeguards around cybersecurity initiatives will be long fraught with new questions and challenges, a first step for the SEC could be around developing a more heightened sense of transparency and timing to assuage the growing concerns of investors and the general market alike.

Related Articles

Google Parent Sued by Shareholders for Handling of #MeToo Allegations

In the era of the #MeToo movement, high-profile corporate executives getting sacked for bad behavior has become almost commonplace. New developments w...

IPO Traffic Jam Part of Shutdown’s Effects on SEC

As the longest federal government shutdown on record approaches the one month mark, visitors to national parks and monuments are discovering mountains...

Tobacco, Alcohol Companies Going to Pot

With the counterculture revolution in full swing, public support for legalizing marijuana in the United States hovered around a measly 10 percent of A...