General Data Protection Regulation (GDPR) may be restricted to the U.K., but its influence will be far-reaching when it comes to compliance regulations for companies here in the United States. The impending new regulations—combined with the onslaught of recent security breaches such as Uber and Equifax—leave many U.S. companies wondering how the SEC will react, and whether such recent events will lead to stricter disclosure measures for publicly held organizations in the states.
Recently, Intelligize held a webinar addressing the potential impact of these recent cyber events on filing season in which a panel of cybersecurity experts discussed key issues around the implications of breaches and shared best practices for how companies can navigate disclosure, breaches and compliance without much guidance from the SEC.
First, a look at some of the key implications that GDPR brings to the table for cybersecurity. GDPR is more of a symptom than the disease itself, noted Daimon Geopfert, principal at RSM.
“We have to first remember that GDPR has a much broader definition of sensitive data: basically, anything that can be reconstructed to identify an individual—at this point, that could even be an IP address. This broader definition means U.K. companies have to go through a whole new round of assessments in order to remain compliant,” Geopfert said. “Traditionally when a breach happens, you get fined X dollars per X amount of data lost. But through GDPR, the amount you lose is almost irrelevant. Now, it’s more about the conditions under which the breach occurred…”
The new regulations are essentially trying to beat bad behavior out of the system because companies were choosing to forgo compliance in favor of paying fines, which tended to be cheaper than paying for the security measures necessary to be compliant.
“That method no longer flies under GDPR. The same types of privacy laws are being constructed in multiple geographies in the U.S. (privacy rules are usually regulated on a state-by-state basis) and these organizations are going to watch this punishment system to see if it is effective. If it is, they will likely adopt the same methods,” he added.
Although the SEC has not updated disclosure guidelines around cyber since 2011, the SEC is concerned about whether companies are properly assessing risk across the board and cyber is a major part of that, according to Frances Goins, partner at Ulmer & Berne.
“Many companies did not do vulnerability scans on critical systems and do not implement important security patches and system updates. That’s a huge problem,” she said.
New data from Intelligize recently revealed that just 38% of public companies in the U.S. disclose cybersecurity as a risk factor, based on 2016 10-K and 10-Q filings. But public companies that have avoided risk factor disclosure in their SEC filings may be intentionally omitting certain information to avoid tipping off potential hackers, according to Craig A. Newman, partner at Patterson Belknap Webb & Tyler.
“Each data security incident is different and each impact on stakeholders is different. The 2011 SEC guidance mandates that if it’s a material business risk and it’s not going to jeopardize an ongoing law enforcement investigation, the company has an obligation to disclose,” Newman said. “But if you disclose too much and there’s an ongoing investigation, you could put law enforcement at a disadvantage. Law enforcement needs time to do its forensics and work through all the issues and see if it has a shot at capturing any info on your systems about the hackers, because the moment you disclose, the hackers are going to be gone. Sadly, there’s not a one-size-fits-all answer.”
As we await further guidance from the SEC around cyber-risk disclosure, we could potentially see an additional item in the 8-K moving toward deeming cyber security of an extraordinary event.
“There has to be a diligence practice when assessing and disclosing your risk. Whether that’s in your risk factor analysis or your MD&A—then you can jump to the 8-K,” said Judy Selby, principal of Judy Selby Consulting. “Whether or not the SEC decides that cyber is going to be a separate category is almost beside the fact. Adding this to an 8-K may highlight the risk, but the obligation to disclose still exists regardless of whether or not a new category was added.”
The bottom line: companies need to disclose cyber-risk whether or not the SEC adds a new category—or updates its 2011 disclosure guidance. The panelists were in agreement that it is wise for companies to pick out both forensic and crisis communication firms ahead of time. Proactive crisis communication can make the difference between your stock price plummeting and salvaging your reputation.