Following SEC guidance, U.S. publicly traded companies disclosed not just the magnitude of their cyber exposure, which I wrote about on Monday, but the ways those risks are likely to manifest themselves—today’s subject.
Causes and Motives May Vary
The SEC’s disclosure guidance acknowledged that there can be significant differences between the exposure faced by different companies or similar companies with different technology systems, the motivation behind cyber-attacks and the way in which attacks occur.
Cyber incidents can result from deliberate attacks or be the unintentional consequences of fortuitous events (such as system upgrades). Cyber attacks may a occur in a manner that doesn’t require gaining unauthorized access, such as denial-of-service (DoS) attacks on websites, or be carried out by third parties or insiders using sophisticated tools. Many attacks use traditional intelligence gathering looking for passwords and IDs.
The motivation behind cyber attacks can be theft of financial assets (like bank balances), intellectual property (trade secrets), or other sensitive information belonging to customers or other business partners (credit card information being the most obvious) or the disruption of business operations.
Dependence by businesses on digital technologies and the interdependencies of systems increases the potential likelihood and ultimate expense of a failure or intrusion.
SEC: Be Specific, Please
The SEC asked that cyber security risk disclosure adequately describe the nature of the material risks and specify how each risk affects the firm. The Commission recommended that appropriate disclosures include:
- Where outsourced functions have material cyber security risks, descriptions of those functions, and how the company addresses those risks
- Risks related to cyber incidents that may remain undetected for an extended period
- Descriptions of cyber incidents experienced by the firm that individually, or in the aggregate, are material, including the costs and other consequences
Our study found that companies that disclosed cyber risks were specific with respect to the types of risks they face 95% of the time. Even though the description of the risks were specific to the type of risk faced, however, very few companies seemed to go into the level of detail that the SEC suggested in describing potential circumstances, actual events, risky functions and latency as requested.
What the Risks Are
In making these enhanced disclosures, the SEC suggested that firms consider both the probability of specific cyber incidents occurring and the quantitative and qualitative magnitude of those risks. Topping the list of disclosed foreseen exposures, not surprisingly, was the issue of privacy, with 65% of the Fortune 500 listing this as a potential concern. What was surprising to us was the infrequency that terrorism (20%) and vendor risks (11%) appeared. It will be interesting to see if these patterns hold true when we consider these disclosures for the Fortune 1000, in our next study.
The SEC advised public companies that they may need to disclose previously known or threatened cyber incidents in order to put their discussion of cybersecurity risks in context. So if a firm experienced a material cyber attack where malware was embedded in its systems leading to the compromise of customer data, it wouldn’t appear sufficient for the company to disclose only that there is a risk that this type of attack might occur. Rather, the firm may need to discuss the occurrence of the specific attack and its known and potential costs and other consequences as part of a broader discussion of malware or other similar attacks that pose a risk. Roughly 1% (6 organizations) in our study appeared to disclosure prior actual cyber events for the first time.
Brave New World
Prior to the SEC’s guidance, no existing disclosure requirement explicitly referred to cybersecurity risks; investors and stakeholders had to rely on pre-existing requirements that public companies disclose material information regarding their risks. For U.S. public companies this has now changed and they should review, on an ongoing basis, the adequacy of their disclosure relating to cybersecurity risks and cyber incidents.
Malware: Malicious software introduced into a system to disrupt computer operations, gather sensitive information, or gain access to proprietary computer systems.
Pre-existing requirements: Regulation S-K Item 503(c) requiring the disclosure of risk factors, generally.