This summer, the U.S. Securities and Exchange Commission (SEC) signaled a significant change in how it thinks about what constitutes a threat to companies: It now considers cyber vulnerabilities to be an existential business risk. This was evident in fines levied against two companies over inadequate disclosures of cybersecurity issues — British publishing company Pearson PLC and First American Financial Corp. In mid-August, the SEC announced that Pearson had agreed to pay $1 million to settle charges that it misled investors following a 2018 breach and theft of millions of student records. And in June, the SEC announced another settlement and $500,000 fine against real estate services company First American Financial for lack of disclosure controls following the discovery of a vulnerability in its system that exposed 800 million image files, including Social Security numbers and financial information.
The SEC Is Serious About Cybersecurity. Is Your Company?
The SEC has signaled that it has started taking cyber vulnerabilities much more seriously than it has in the past. Two recent fines signal that the agency views lax cybersecurity as an existential threat to businesses and is willing to penalize companies who fall short. This, of course, is reasonable: Cyber threats pose as significant a danger to businesses (and their shareholders) as supply-chain vulnerabilities or natural disasters. To make sure they’re compliant, companies should: 1) create a disclosure committee composed of director and senior director level employees, 2) be sure to disclose cybersecurity risks, incidents, and their business impacts in a timely manner, 3) build more visibility into their processes to better understand their weaknesses, 4) conduct regular forensic assessments of the company’s cybersecurity systems, and 5) be prepared to disclose incidents before they’re fully understood.