When you run a publicly traded company, cybersecurity becomes significantly more important.
A major hacking event can hurt your share price. It can also call your financial statements into question. That’s why you need to understand how and why the Securities and Exchange Commission (SEC) is raising the bar. Hoping and praying you avoid hacking isn’t going to cut it anymore!
Cybersecurity Risk Assessment: An Established SEC Expectation
Before reviewing what happened in 2018 at the SEC, take a step back for some critical context.
Cybersecurity expectations are nothing new for the SEC. The organization issued comprehensive guidance back in 2011. That guidance, namely CF Disclosure Guidance: Topic No. 2, changed the game. This guidance laid out expectations on two levels. First, companies were expected to manage cybersecurity risks. Second, there were expectations regarding security breaches. Here’s the key section from the SEC:
“Registrants should disclose the risk of cyber incidents if these issues are among the most significant factors that make an investment in the company speculative or risky. In determining whether risk factor disclosure is required, we expect registrants to evaluate their cybersecurity risks and take into account all available relevant information, including prior cyber incidents and the severity and frequency of those incidents. As part of this evaluation, registrants should consider the probability of cyber incidents occurring and the quantitative and qualitative magnitude of those risks, including the potential costs and other consequences resulting from misappropriation of assets or sensitive information, corruption of data or operational disruption.”
Note the emphasis on risk assessment and the probability of cybersecurity incidents. If recent years have taught anything, it’s this: security incidents and risks are steadily increasing. Now, with that background in hand, what did everyone learn from the SEC’s 2018 announcement?
What Did the SEC Say About Cybersecurity in 2018?
It’s one thing to publish guidance; it’s another matter entirely to apply a fine. In September 2018, the SEC punished a company, Voya Financial Advisors, Inc., for poor cybersecurity practices. According to the official press release:
“The Securities and Exchange Commission today announced that a Des Moines-based broker-dealer and investment adviser has agreed to pay $1 million to settle charges related to its failures in cybersecurity policies and procedures surrounding a cyber intrusion that compromised personal information of thousands of customers.”
Not only did the company agree to pay the $1 million penalty, but it’ll also have to face difficult questions about the quality of its cybersecurity for years to come. This decision came a few months after an announcement of increased expectations on cybersecurity for public companies. Arguably, the brand reputation damage is much worse than the fine.
What Do These SEC Cybersecurity Requirements Mean for Your Company?
If your company is already regulated by the SEC, it’s time to shape up! Regulators expect a higher standard of security protection and procedures. The smart money says that keeping up with those expectations will be difficult for companies that rely upon manual and ad hoc procedures. Having a cybersecurity policy in place isn’t good enough; you need to put those practices in place.
By the way, living up to these higher expectations isn’t just for public companies. Do you want to go public? Alternatively, are you interested in being acquired by a public company? In either case, it makes sense to be proactive in boosting your standards before you face fines and reputational damage.
Policies, Procedures, and Reporting: 3 Keys to Keeping the SEC Off Your Back
If you want to avoid painful attention and fines from the SEC, then listen up. Three areas are recommended for assessing and improving. Neglect any one of these areas and you’ll be at heightened risk for hacking and fines.
Set out the principles that guide your approach to security. You should define roles and responsibilities, as well. For example, who’s responsible for creating cybersecurity training? What accountability do people managers have for guiding their people? In highly regulated industries such as banking, design your policy to correspond to regulation. Additionally, set a review cycle for the policy (e.g., review and update the policy annually to ensure it makes sense as conditions change).
At the ground level, what will you ask staff to do? For example, do you have an employee offboarding process to reduce employee fraud risk? Start with defining procedures for the IT department and managers. To be useful, procedures should be simple and short documents. If they’re complicated, your employees will struggle to implement them.
When the SEC calls to ask about your cybersecurity program, how will you answer its questions? You don’t want to improvise in this area! The better approach: implement a reporting and monitoring system. For reports sent to senior management, develop a simple dashboard that highlights trends and top issues. Use the CIO guide to building a dashboard for cybersecurity to get started.
How to Keep Up with SEC Cybersecurity Requirements Without Going Crazy
By this point, you might feel completely overwhelmed. The brand you’ve spent years developing can be destroyed in minutes by a hack. There’s no foolproof way to avoid hacking, but you can improve security without spending every hour of the day worrying about it.
The solution lies in using security software solutions. These tools make reporting, password management, and identity control easier to manage. Look at two quick use cases.
- Self-serve passwords
Use Password Station to end the number one problem for the help desk: non-stop requests for password resets. While you’re working to improve your password practices, make sure you provide employee password training.
- Simplify security
Honestly, most employees are quietly frustrated with the hassle associated with cybersecurity. That’s why you need a single sign-on solution. Instead of scrambling to remember multiple passwords, your employees can use a single ID and focus on their work.