The United State Securities and Exchange Commission (SEC)
released a new guidance on cybersecurity last month, stating that cybersecurity
risks must now be disclosed. In the past, the SEC has required publicly traded
companies to disclose material risks and events information that would be
pertinent for a person to know before investing in the company.
But before this new guidance, it was not clearly stated that
cybersecurity information was to be included in this information. According to
an article in the Washington
Post, This SEC guidance is critical because it allows market participants
to weigh cybersecurity as an investment factor. It is generally understood that
disclosing material breaches such as the significant loss of a companys
intellectual property will affect the value of a company, because existing or
potential investors will reconsider their investment decisions. Without
detailed public information about these events, investors are unaware of the
risks to which companies are exposed. And without pressure from investors,
corporate officers are less likely to change their risk-management practices.
So now, a company must be upfront about any problems they
have had as a result of poor fraud
prevention tools.
According to the guidance, failing fraud prevention
systems, which result in cybersecurity issues, can result in:
- Remediation
costs that may include liability for stolen assets or information and
repairing system damage that may have been caused. Remediation costs may
also include incentives offered to customers or other business partners in
an effort to maintain the business relationships after an attack; - Increased
cybersecurity protection costs that may include organizational changes,
deploying additional personnel and protection technologies, training
employees, and engaging third party experts and consultants; - Lost
revenues resulting from unauthorized use of proprietary information or the
failure to retain or attract customers following an attack; - Litigation;
and - Reputational
damage adversely affecting customer or investor confidence.