The Landscape of Company-Prepared Cybersecurity Information
As both public and private sectors grapple with cybersecurity, the investor and other stakeholder demands for and expectations of transparency about how companies are managing this risk are increasing. These calls for more information serve as potent drivers for improving the general level of cybersecurity risk management practices across the company-reporting ecosystem. Investors and other stakeholders are interested in understanding a company’s cybersecurity risks, and strategies for mitigating those risks, for a multitude of reasons, including the following:
- Investors want to understand cybersecurity risks that could threaten the achievement of the company’s operational, reporting, financial, legal, and regulatory objectives. Failing to achieve these objectives may impair the company’s brand reputation, which can have implications on the company’s enterprise value.
- Companies want to understand the cybersecurity protocols of their service providers to understand how they handle and protect sensitive information and/or their reliability as an important supply chain member.
- Consumers want confirmation that their personally identifiable information will be secure.
Company-prepared cybersecurity information provides an opportunity for companies to communicate to stakeholders that they are taking cybersecurity seriously and have risk management programs in place to address cybersecurity risks.
Required Public Company Disclosures
Under disclosure guidance issued by the SEC’s Division of Corporation Finance (the Division) in 2011, a company may determine it is necessary to disclose cybersecurity risks in various places throughout its Form 10-K. Ordinarily, that determination may result in certain disclosure included in risk factors, management’s discussion and analysis (MD&A), legal proceedings, business description, and/or financial statements. In February 2018, the SEC updated its disclosure guidance to reinforce and expand on the 2011 guidance. The 2018 guidance addressed the importance of cybersecurity policies and procedures and the application of insider trading prohibitions in a cybersecurity context. It also highlighted the importance of ensuring that periodic reports, such as the Form 10-K and Form 10-Q, as well as current reports, such as the Form 8-K, continue to provide timely and ongoing information on material cybersecurity risks and incidents. The SEC emphasized that companies must maintain disclosure controls and procedures, and management must evaluate their effectiveness. In addition to this guidance, the SEC Office of Compliance Inspections and Examinations has issued several risk alerts on cybersecurity topics. Those risk alerts draw attention to risks companies may want to consider when assessing their own cybersecurity risks and related disclosures. The SEC also issued an investigative report in October 2018 that highlighted the need to re-calibrate and maintain effective internal accounting controls to address evolving cybersecurity risks.
Many public companies consider cybersecurity to be a risk to their business operations. An EY survey that looked at the cybersecurity disclosures of Fortune 100 companies found that 100 percent of these companies reported cybersecurity as a risk factor and 89 percent disclosed their risk oversight approach. While the SEC guidance only requires disclosure of the most significant factors that make an investment in the registrant or offering speculative or risky, the guidance laid out by the Division provides suggestions for enhanced disclosure around cybersecurity.
Many public companies consider cybersecurity to be a risk to their business operations.
Voluntary Disclosures about a Company’s Cybersecurity Risk Management Program
While the vast majority of companies disclose some cybersecurity information in their SEC filings, the disclosures of many of those companies are limited to general information regarding cybersecurity risks and company cybersecurity-risk management programs to address them. For example, according to an EY survey, only 7 percent of Fortune 100 companies disclosed that they perform cyber-incident simulations or tabletop exercises; and only 16 percent of companies disclosed the use of an external independent consultant to help management with cybersecurity-related practices. Similarly, only 5 percent of companies disclosed board engagement with an external independent advisor.
As the threat of cybersecurity attacks increases, particularly in today’s pandemic environment, so does the potential for severe implications to the company’s operations and information and resources. Therefore, investors and other stakeholders may find information beyond those disclosures required by the SEC, as outlined above, helpful for decision-making. Swiss Re Institute recently conducted a series of interviews with 20 international leaders from Europe and North America at the board and executive level that addressed the importance of and demand for enhanced cybersecurity disclosures. The interviews revealed that respondents believe that shareholders currently do not have enough transparency about a company’s cyber resilience to make an informed investment decision. None of the respondents ranked the current levels of transparency as “good” or “really good.” Further, the majority of the respondents said that if one company reported on cyber resilience and another did not, it would make a difference to their own decision-making.
In determining their disclosure obligations regarding cybersecurity risks and incidents, companies generally weigh, among other things, the potential materiality of any identified risk and, in the case of incidents, the importance of any compromised information and the impact of the incident on the company’s operations. The SEC expects companies to provide disclosures that are tailored to their particular cybersecurity risks and incidents.
Fortune 100 Company Disclosures:
disclose performance of cyber-incident simulations or table top exercises
disclose the use of an external independent consultant to help management with cybersecurity-related practices
disclose board engagement with an external independent advisor
As stakeholder interest grows, it may be helpful for companies to communicate key elements of its response to cybersecurity risk (sometimes referred to as a cybersecurity risk management program), such as its processes to prevent, detect, respond to, and recover from cybersecurity incidents. These communications could include, but are not limited to, the following:
- if the company has governance processes and controls over service providers
- the existence of incident response planning and how often this is reviewed
- any simulations run by the company and the results
- use of an independent advisor and the services provided