Introduction
Starbucks Singapore discovered a data breach in September last year when they tracked down unauthorized access to their user details. The data was sold on online trading forums for stolen databases.
Starbucks claims that no sensitive financial data like customer credit card information was compromised however information like birth date, address, and phone numbers was affected.
Starbucks is just one example, but organizations have been exposed to cyber-attacks for long. However, with increased digitalization of businesses and the remote working adopted during the pandemic combined with the ability of cyber-criminals to monetize stolen data has multiplied that risk manifold with newer forms of attacks emerging from phishing to social engineering.
Cyber-attacks have also contributed to the steadily increasing cost of cybersecurity, impacting businesses and investors alike with decreased production, delays in product launches, and costs incurred due to business interruptions.
To top it- off, businesses must pay big sums of ransom and extortion money to gain back access and control over their data. According to Statista, 71% of organizations worldwide were affected by ransomware, and 72% paid to recover their data. Also, as per Coveware, a cyber extortion incident response firm, the average ransom paid in Q3 of 2022 was $258,143.
The other component of cybersecurity attacks is the remediation costs including expenses incurred after a cyber-attack like the liability for stolen assets or information, system repair costs, and incentives offered to customers or business partners to sustain relationships post-attack.
In addition, cybersecurity protection costs encompass expenses for increased insurance premiums, organizational modifications, extra personnel and protection technologies, staff training, and contracting third-party experts and consultants. Reduced revenues resulting from intellectual property theft, unauthorized use of proprietary information, or failure to retain or gain customers following a breach is another challenge that organizations face. Legal risks, fines by regulatory bodies, harm to customers and employees, privacy law violations, and irreparable reputational damage are other layers to the risk.
Let’s gather an overview of the cybersecurity risks organizations face.
Overview of Cybersecurity Risks
The Cybersecurity_threatscape_Q3_2022 published by Positive Technologies indicates a steady rise in the number of cyber-attacks. The last quarter of 2022 witnessed an 18% increase in malware attacks targeting Linux, on which most virtualization solutions and cloud technologies used by organizations, are based.
57% of the organizations were attacked using malware that penetrated corporate systems by compromising credentials and exploiting vulnerabilities.
The attack on the Colonial Pipeline is a good reminder of what organizations face when their cyber-security gets breached. The attack had shut down half of Colonial Pipeline’s operations disrupting refined oil supply along the entire East Coast and impacting the everyday lives of ordinary people.
Attacks on critical infrastructures can result in public panic and knee-jerk reactions from the market that can impact the economy. Therefore, cybersecurity-related risk disclosures are becoming a priority for governments and regulatory bodies across the world with the EU taking a concrete step in the form of GDPR (General Data Protection Regulation).
The Securities and Exchange Commission (SEC) Cybersecurity Disclosure Guidance
A significant development post the Colonial Pipeline attacks was the Strengthening American Cybersecurity Act (SACA). The Act requires federal agencies and critical infrastructure owners to report cyberattacks within 72 hours and ransomware payments within 24 hours.
In March 2022, SEC proposed Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure by Public Companies. SEC observed that only 64% of the domestic filers made any cybersecurity-related disclosures. The domestic companies that submitted annual reports but did not disclose any cyber-related information had a total asset value of $892.6 million and a market capitalization of $2.2 billion.
The additional information is to help investors make informed decisions and minimize information asymmetry in the market by reducing instances of mispricing of securities, and standardized and comparable disclosures can lower search and information processing costs.
In addition to investors, other financial statement users, like financial analysts, investment advisers, and portfolio managers, could also benefit from cybersecurity-related disclosures.
The Proposed Changes Included:
- Disclosure regarding policies and procedures for identifying and handling cybersecurity risks
- Mandatory disclosure on whether and how cybersecurity factors influence the selection and supervision of third-party service providers
- Mandatory disclosures of material cybersecurity incidents are required to be reported in a Form 8-K current report to be filed within four business days from the time the material cybersecurity incident occurs
- The expanded role of management and board’s oversight in assessing and managing cybersecurity risks with policies and processes and disclosures about board members and their skills who have expertise in cybersecurity
- The cybersecurity disclosures are to be presented in Inline eXtensible Business Reporting Language (“Inline XBRL”)
Cyber-security risks are a concern for everyone from CEOs to the stakeholders, investors, capital market, regulatory bodies, and the common consumer.
Updated Guidance
On March 15, 2023, SEC’s press release proposed new requirements to address cybersecurity risks for the financial services sector, expounding on the threat cybersecurity poses, to the stability of the US financial system and securities market. SEC highlights the increased ransomware and malware attacks on the companies and the diversity of threat actors including organized groups and individuals employing advanced tactics, techniques, and procedures like social engineering to attack.
Overview of SEC’s Proposed Amendments to Cybersecurity Risk Disclosures
SEC proposed amendments to ensure organizations offer prompt and informative disclosures on cybersecurity incidents and risk management, strategy, and governance, to investors and other market participants in addition to the information already provided in Forms 10-K and 10-Q.
Additionally, the amendment to Forms 10-Q and 10-K, Regulation S-K 106(d) would now make it mandatory for companies to divulge information about past cybersecurity incidents and their materiality status.
One of the significant amendments is related to Item 407 of Regulation S-K, which would require companies to disclose any cybersecurity experience of their board of directors members, if applicable.
The Additional Requirements Under Proposed Rule 10 Include:
The business needs to conduct periodic assessments of cybersecurity risks associated with its information systems and maintain written documentation of the risk- assessments
- Design controls to minimize user-related risks and prevent unauthorized access to information systems
- Design measures to monitor information systems and protect information from unauthorized access or use, and oversee the service providers that receive, maintain, or process information or have access to information systems
- Undertake measures to detect, mitigate, and remediate any cybersecurity threats and vulnerabilities
- Plan measures to detect, respond to, and recover from a cybersecurity incident and maintain written documentation of any cybersecurity incident and response
Reporting About the Cybersecurity Incident
Companies will have to report a significant cybersecurity incident that has occurred or is occurring by filing Part I of the proposed Form SCIR through the EDGAR system.
The company will share information about its efforts to respond and details of recovery from the incident, update when material information becomes available or previously reported information is deemed inaccurate and submit a final proposed Form SCIR post the resolution of the significant cybersecurity incident.
In addition to the above-stated requirements, the companies will need to publicly reveal brief explanations of their cybersecurity risks and any major cybersecurity incidents encountered in the current or prior year’s calendar. The form should be submitted to the Commission via the EDGAR system and should be displayed on the business website and available to the public.
Key Takeaways for Public Companies
The proposed new rules bring more granularity to the cybersecurity-related risk disclosure requirements and involve increased costs for the company to create and maintain the cybersecurity-related infrastructure. However, the resulting fair, orderly, and efficient market operations and curtailed vulnerability to cybersecurity incidents will reduce the expenditure incurred in paying the ransom and prevent the loss of business opportunities. As per SEC, a typical financial services company experiences an average loss of $18.3 million per cybersecurity incident.
With additional information available, the companies can use it to strengthen and assess the resilience of their cybersecurity infrastructure and identify and mitigate potential risks in good time.
Maintaining cybersecurity-related records will help companies understand whether their current processes, policies, and infrastructure are adequate to manage their cybersecurity-related risks and take preventive or additional measures. The annual review will also help companies remain updated and ahead of the threat actors employing constantly evolving tactics and tools to conduct these attacks.
Since the disclosures will be a government mandate, it is also advisable that the companies ensure that their vendors can assist them in meeting the four-day time frame to remain compliant. Public disclosures about the company’s cybersecurity risks, measures, and incidents will help establish trust and credibility with the investors and assure the stakeholders that their data and assets are safe.
Cyber-security risks and related disclosures are beneficial for businesses, and adopting best practices can help them further optimize their processes and policies for improved results.
Best Practices for Cybersecurity Risk Disclosures
Transparency – Businesses should keep in mind that cybersecurity breaches impact not just their business operations but also stakeholders, and investors, and because of the interconnectedness of the market, the entire sector, and industry. Therefore, transparency is important when communicating about cybersecurity risks and impacts.
Specific Information – Specific information about the potential risks, their type, and measures taken to mitigate them and incident base disclosures highlighting the responsive measures taken can help build trust and confidence amongst the stakeholders. The companies should document their cybersecurity incident response in detail including, information like the number and nature of breaches, loss of physical resources (laptops and hard drives), loss of third-party data, denial of service (DOS), and ransomware attacks. Having an audit trail to identify systems and people involved in the incident response and recovery process is another aspect to consider.
Simplified Communication – Cybersecurity-related risks should be explained in simple terms to ensure users of the information don’t get lost in technical jargon and miss the material information. The communication related to cybersecurity risks should be clear, concise, and easy to understand.
Explaining Risks Within Business Context – Businesses need to ensure that stakeholders have a clear understanding of the cybersecurity risks within the context of the business and how it impacts the operations and regulatory compliance needs.
Robust Cybersecurity Infrastructure – Businesses should aim to create a robust cybersecurity infrastructure with strong internal control measures with continuous review and assessment to proactively identify and mitigate risks. Disclosing these risks periodically is another best practice to consider.
Seeking Expert Help – Companies must invest in human resources and seek expert guidance to assess their risks and strategize to address them effectively. Experts can also help companies audit their current practices and infrastructure and suggest improvements and additions.
Potential Challenges for Public Companies
As we discussed in the previous sections, the cost is a major obstacle while creating and implementing cybersecurity-related infrastructure and policies but there are other challenges too.
Operational Challenges – A clear and complete understanding of the cybersecurity threats and risks that an organization faces requires a thorough understanding of systems, networks, and data and keeping abreast of the latest threat actors and the tools and tactics implemented by them and proactively planning actions to mitigate them. It is easier said than done as we have seen in the past that some of the biggest organizations with effective cybersecurity infrastructures in place have fallen victim to cyberattacks.
Legal Challenges – Failure to comply with cybersecurity-related disclosures and data privacy and security laws can lead to legal challenges for the organization. Data breaches have serious consequences involving heavy fines, sanctions, audits initiated by governments and lengthy regulatory investigations, and even criminal charges against the firm and board members. If the stakeholders like customers, employees, investors, and business partners suffer financial damages, they can initiate legal actions like class action lawsuits against the business. All of this has an impact on the operation, reputation, and finances.
Financial Challenges – Addressing cybersecurity risks can be a cost-intensive process for the companies, regulatory fines, cost of remediation, and sanctions aside, companies, can lose it all when faced with litigation. The opportunity cost for losing business and customer trust though difficult to ascertain in exact numbers is still significant. Augmenting existing cybersecurity infrastructure or completely changing them in the aftermath of breaches and incidents becomes a necessary cost.
Conclusion
Modern-day businesses must keep one step ahead of the cybersecurity-related challenges and threat actors to ensure business continuity and success. The regulation and laws around cybersecurity-related risks and disclosures will continue to evolve with the changing nature of threats therefore businesses need to plan and allot their resources judiciously to account for a robust and constantly updating cybersecurity infrastructure to avoid breaches and attacks in the first place and respond swiftly when it does to allow minimum damage.
