The Securities and Exchange Commission’s (SEC) new cybersecurity disclosure rules, which went into effect on September 5, 2023, underscore the growing material impact of cybersecurity on business. Generally, the rules require public companies to promptly disclose material cybersecurity breaches and to provide annual disclosures regarding the company’s cybersecurity strategy, risk management, and governance. In particular, the rules specify that public companies must disclose in their Forms 10-K “management’s role in assessing and managing material risks from cybersecurity threats” and “the board of directors’ oversight of cybersecurity risks.” Thus, the rules emphasize that cybersecurity is the responsibility of the company’s management and board.
While the disclosure rules do not apply to private companies, cyberthreats to private companies are just as worrisome as they are for public companies. The consequences of not following cybersecurity best practices can be dire for either type of company. On the other hand, taking a proactive approach to cybersecurity can have a significant upside, positioning the well-protected company as a leader in its industry and a trustworthy partner to clients and vendors alike. Thus, even though investing in appropriate cybersecurity measures is a significant commitment both in terms of resources and in terms of training time for employees and management, this investment is likely to pay for itself in multiple ways.
The Strategic Advantages of Being Cybersecure
With losses from cybercrime poised to hit a new global annual record of $8.5 trillion in 2023, many business leaders and risk management professionals now see cyberattacks as the biggest business risk faced by companies around the world. The good news, however, is that many companies are now considering the upside of cybersecurity, and realize that cybersecurity investment can confer significant strategic advantages in a highly competitive business environment.
Here are just some of the strategic advantages that can be achieved by adhering to cybersecurity best practices:
- Building customer trust. In the business-to-business space, a vulnerable vendor can create both an upstream and a downstream risk for the whole supply chain, and companies are placing more and more importance on their partners’ cybersecurity posture. A company’s cybersecurity program can be a meaningful differentiator and increase the likelihood of a successful pitch for new business. This is especially true for subcontractors of government contractors who have specific cybersecurity elements they must demonstrate to be able to bid on government projects.
In the business-to-consumer space, it is also imperative to build consumer trust. No individual wants their personally identifiable information (PII) to be leaked through a cyberattack, and the more a company can demonstrate its commitment to keeping that information safe, the more trustworthy it will be seen by consumers.
- Regulatory compliance. Both state and federal regulators are increasingly concerned about cyberattacks, especially when these cyberattacks lead to leaks of PII. If lax cybersecurity measures are found to be responsible for the breach, the resulting investigations can be costly and intrusive, and the resulting settlements often impose years-long third-party monitorships to make sure that the company complies with cybersecurity best practices.
Taking a proactive approach to cybersecurity minimizes not only the chances of a successful cyberattack, but also the chances of an investigation if a breach does occur. In addition to saving the company hundreds of thousands — if not millions — of dollars in attorneys’ fees and the cost of third-party monitors, a proactive approach allows the company to design the processes and systems that best work for it, as opposed to having to adopt the processes and systems imposed by a settlement.
- Reputation management. Because cyberthreats are such a significant risk factor for businesses, a company’s reputation for cybersecurity creates downstream effects. For example, if a company cybersecurity program is perceived as not sufficiently robust, it may have a negative impact on the bottom line, including by driving away potential investors, increasing the cost of debt, and increasing insurance premiums (or making it difficult to find enough coverage).
- Future Readiness. The world of cyber is constantly changing, both in terms of threats and in terms of cybersecurity technologies. A proactive posture that makes keeping abreast of the changing cyber environment a priority will keep the company safer now and will identify potential threats down the road. Moreover, the resources needed to update the company’s cybersecurity programs will be incremental, and therefore less costly. For these reasons, keeping management and the board current on developments in cyber is becoming an essential cybersecurity best practice — one that the new SEC rules emphasize with their requirements for disclosing the C-suite’s and board’s engagement in cybersecurity strategy, risk management, and governance.
Cybersecurity Best Practices
While there are numerous sophisticated technical cybersecurity measures that companies can employ, your company’s most valuable cybersecurity asset is a cyberthreat-aware workforce trained to understand the importance of taking cybersecurity seriously. Adding some of the most impactful best practices, which are simple to implement and have been available for years, can significantly enhance cybersecurity further.
- Understand social engineering and train employees to avoid it. A vigilant workforce is your company’s first line of defense against a successful cyberattack because the vast majority of successful cyberattacks is initiated through phishing or other social engineering approaches designed to trick employees into divulging their login credentials.
- Require anyone who accesses your systems to use two-factor authentication (2FA). The most common type of 2FA is a one-time verification code the user gets by text, email, or authenticator app.
- Make it a policy for employees to only log into your systems through the company’s virtual private network (VPN). VPNs create an encrypted channel for your data, allowing you to use public networks and Wi-Fi hotspots safely.
- Stay on top of updates and patches issued by apps and programs used by your company. Once a vulnerability is identified, it is critical to apply any patches or updates to prevent hackers from exploiting it. For example, in July of this year, Citrix alerted the public that a vulnerability in its filesharing program allows unauthorized, remote hackers to access the device on which the program is installed and released a patch to fix this vulnerability. Yet, if history is a guide, a large percentage of administrators will not install the patch, and will remain vulnerable to hackers.
- Limit access to sensitive information — either customer PII or the company’s own sensitive data and intellectual property — on a need-to-know basis. Every person with access represents additional risk, as either a potential victim of social engineering or as someone whose devices are accessed if someone else in the company is hacked.
- Conduct frequent — or at least yearly — trainings for nontechnical managers and directors about the current state of cyber and include a cyber tabletop exercise (TTX) in the training. Such trainings are a highly efficient method of keeping managers and directors on top of recent developments in cyber, and the cyber TTX enables them to game out real-world scenarios, including protecting the company from common cyberthreats and responding properly to a successful cyberattack.
If you would like to adapt the SEC’s new reporting rules for your cybersecurity program, we can help. Contact Dr. Ronald Menold, Director, Cybersecurity Services, to discuss the best options for implementing these rules internally. For questions regarding reporting obligations for SEC reporting companies, please contact our Capital Markets & Securities Group. For more information on the SEC’s cybersecurity rules, please refer to the following alert.