SEC Publishes New Guidelines for Disclosing Cybersecurity Risks to Investors

Understanding Cybersecurity Risks
In today’s digital age, the use of technology to facilitate investments has become largely commonplace. We can see many examples of how investing has moved to the cyber-realm from online investing platforms to robo-advisers. While this has greatly empowered investors to take more direct control over their investment strategy, it has also increased the potential vulnerability to cyber fraud and theft.
“In a digitally connected world, cybersecurity presents ongoing risks and threats to our capital markets and to companies operating in all industries, including public companies…”
The above quote comes from a newly published memo by the Securities and Exchange Commission (SEC). The memo sets forth guidelines and procedures for public companies to inform investors and regulators of cybersecurity risks.

The threat of cybercrime has become a major reality for business all over the world, and regulators say it will only become more prevalent.

As such, mitigating cybersecurity risks has become one of the prime points of focus for securities regulators. In addition to regulation and oversight, the SEC regularly informs and advises about common cybersecurity risks and related preventative measures.

SEC Report to Public Companies

The recent 24-page report provides an updated interpretation of the SEC’s stance on cybersecurity disclosure. The statement provides public companies with a clear understanding of how cybersecurity risks must be disclosed – particularly as they impact investors – per SEC regulations. The original report, published in 2011, described public companies’ obligations in disclosing cybersecurity threats but did not outline specific procedure.
In the wake of widespread scandals involving large-scale data breaches of public companies (Sony- 2014, Equifax- 2017), the SEC has deemed it necessary to provide public companies with a clearer understanding of what they are required to disclose to regulators as well as how it needs to happen.
It’s a system of checks-and-balances. If potential, or even actual, cybersecurity risks are left unchecked and/or undisclosed to regulators, there is

  1. Nothing that can be done to mitigate damage to investors/stakeholders
  2. No way to implement preventative measures/safeguards against future risk

This, in addition to the damage to reputation and potential legal consequences for businesses that fail to disclose risks properly.

So what does a public company’s disclosure of cybersecurity risks mean to you?

While the report is directed at public companies, there is information that you will find applicable as an investor. The most widespread (and costly) damages of cyber attacks is data loss; personal data: personnel records, shareholder information, account information. It’s the kind of stuff you don’t want getting into the wrong hands, especially if you are an investor. So, while a cybersecurity attack may be directed towards a public company, it’s investors that are getting hit.
While the report does have info you need to know, all 24 pages may not be exactly relevant to you. So to save you some time, we took a look at the full SEC report. We’re bringing you the main takeaways so you can understand what this means for you and your investments.

If you would like to take a look yourself, you can also read the full report here

Understanding Disclosure Guidelines

When you invest, what is one the biggest factors to consider?
Before you pull the trigger on any investment, you will want to know the risks. There are always going to be risks – that’s the name of the game – but for the most part, these should be accountable risks; ones you can anticipate. But what happens if certain risks are concealed from you and you are not equipped the resources to address them, should those risks become a threat?
That’s where disclosure laws come in. In any investment situation, whether you’re buying a house or securitized asset, you are entitled to a full disclosure of potential or real risks concerning that asset.
The same goes when you are considering an investment in a public company; you will want to know the material risks with which it is associated. It is standard procedure to review a company’s risk profile in order to assess its investment value. The issue prompting the SEC’s updated guidelines report is that, in light of the rising threat of cybercrime, there is not a great enough effort to properly disclose cybersecurity risks to investors.

Assessing Cybersecurity Risks

Before investing in a public company, make sure you have done a proper risk assessment including:

  • Thorough review of your disclosure agreement
  • Inquiry into cybersecurity risks and cyber-threats

The SEC guidelines spell-out specific circumstances in which a public company must disclose cybersecurity risks to investors including with the issuance of any periodic reports disclosing business operations, risk factors, legal proceeding and upon furnishment of material information necessary to make an investment decision.
Companies are not obligated to disclose cybersecurity frameworks or operations in order preserve existing security measures in the event of an attack.
Essentially, they need to provide you with actionable resources to make an informed investment decision as well as with the ability to respond in the event of a cyber attack.

What to Do if You Become the Victim of a Cyber-attack

If you find that one or more of your investment accounts has been compromised by a cyber-attack, there are a few things you need to do immediately:

Notify your financial institution and/or investment firm

Letting them know as soon as possible that one or may of your accounts may have been compromised will help them catch any out-of-place changes to the account. Make sure you document all discussions you have for reference.

Change all of your investment/financial account passwords and login codes

If you believe that your login information to any of your accounts may have been stolen, change your passwords immediately. If you use one password for multiple accounts, make sure you have changed all of them.

Close hacked accounts

You may want to consider speaking with your investment firm or advisor about closing your account and transferring assets to a new one if you notice suspicious activity.

Put a fraud alert on your credit profile

If you believe you have been the victim of identity theft, you can notify any one of the major credit reporting companies to have an initial fraud alert placed on your account. This will allow any bank or crediting institution to view an identity theft alert when viewing your credit file.

Additional Resources

Suffering a cyber-attack that hurts your investments can leave you with a lot to deal with. If you need any information or assistance in recovering your investment after a cyber-attack, contact our team.

Contact Information