SEC Publishes New Guidelines for Disclosing Cybersecurity Risks to Investors

Savage Villoch Law, PLLC
Understanding Cybersecurity Risks

In today’s digital age, the use of technology to facilitate investments has become largely commonplace. We can see many examples of how investing has moved to the cyber-realm from online investing platforms to robo-advisers. While this has greatly empowered investors to take more direct control over their investment strategy, it has also increased the potential vulnerability to cyber fraud and theft.

“In a digitally connected world, cybersecurity presents ongoing risks and threats to our capital markets and to companies operating in all industries, including public companies…”

The above quote comes from a newly published memo by the Securities and Exchange Commission (SEC). The memo sets forth guidelines and procedures for public companies to inform investors and regulators of cybersecurity risks. The threat of cybercrime has become a major reality for business all over the world, and regulators say it will only become more prevalent.

As such, mitigating cybersecurity risks has become one of the prime points of focus for securities regulators. In addition to regulation and oversight, the SEC regularly informs and advises about common cybersecurity risks and related preventative measures.

SEC Report to Public Companies

The recent 24-page report provides an updated interpretation of the SEC’s stance on cybersecurity disclosure. The statement provides public companies with a clear understanding of how cybersecurity risks must be disclosed – particularly as they impact investors – per SEC regulations. The original report, published in 2011, described public companies’ obligations in disclosing cybersecurity threats but did not outline specific procedure. In the wake of widespread scandals involving large-scale data breaches of public companies (Sony- 2014, Equifax- 2017), the SEC has deemed it necessary to provide public companies with a clearer understanding of what they are required to disclose to regulators as well as how it needs to happen. It’s a system of checks-and-balances. If potential, or even actual, cybersecurity risks are left unchecked and/or undisclosed to regulators, there is

  1. Nothing that can be done to mitigate damage to investors/stakeholders
  2. No way to implement preventative measures/safeguards against future risk

This, in addition to the damage to reputation and potential legal consequences for businesses that fail to disclose risks properly.

So what does a public company’s disclosure of cybersecurity risks mean to you?

While the report is directed at public companies, there is information that you will find applicable as an investor. The most widespread (and costly) damages of cyber attacks is data loss; personal data: personnel records, shareholder information, account information. It’s the kind of stuff you don’t want getting into the wrong hands, especially if you are an investor. So, while a cybersecurity attack may be directed towards a public company, it’s investors that are getting hit. While the report does have info you need to know, all 24 pages may not be exactly relevant to you. So to save you some time, we took a look at the full SEC report. We’re bringing you the main takeaways so you can understand what this means for you and your investments.

If you would like to take a look yourself, you can also read the full report here

Understanding Disclosure Guidelines

When you invest, what is one the biggest factors to consider? R-I-S-K Before you pull the trigger on any investment, you will want to know the risks. There are always going to be risks – that’s the name of the game – but for the most part, these should be accountable risks; ones you can anticipate. But what happens if certain risks are concealed from you and you are not equipped the resources to address them, should those risks become a threat? That’s where disclosure laws come in. In any investment situation, whether you’re buying a house or securitized asset, you are entitled to a full disclosure of potential or real risks concerning that asset. The same goes when you are considering an investment in a public company; you will want to know the material risks with which it is associated. It is standard procedure to review a company’s risk profile in order to assess its investment value. The issue prompting the SEC’s updated guidelines report is that, in light of the rising threat of cybercrime, there is not a great enough effort to properly disclose cybersecurity risks to investors.

Assessing Cybersecurity Risks

Before investing in a public company, make sure you have done a proper risk assessment including:

  • Thorough review of your disclosure agreement
  • Inquiry into cybersecurity risks and cyber-threats

The SEC guidelines spell-out specific circumstances in which a public company must disclose cybersecurity risks to investors including with the issuance of any periodic reports disclosing business operations, risk factors, legal proceeding and upon furnishment of material information necessary to make an investment decision. Companies are not obligated to disclose cybersecurity frameworks or operations in order preserve existing security measures in the event of an attack. Essentially, they need to provide you with actionable resources to make an informed investment decision as well as with the ability to respond in the event of a cyber attack.

What to Do if You Become the Victim of a Cyber-attack

If you find that one or more of your investment accounts has been compromised by a cyber-attack, there are a few things you need to do immediately:

Notify your financial institution and/or investment firm

Letting them know as soon as possible that one or may of your accounts may have been compromised will help them catch any out-of-place changes to the account. Make sure you document all discussions you have for reference.

Change all of your investment/financial account passwords and login codes

If you believe that your login information to any of your accounts may have been stolen, change your passwords immediately. If you use one password for multiple accounts, make sure you have changed all of them.

Close hacked accounts

You may want to consider speaking with your investment firm or advisor about closing your account and transferring assets to a new one if you notice suspicious activity.

Put a fraud alert on your credit profile

If you believe you have been the victim of identity theft, you can notify any one of the major credit reporting companies to have an initial fraud alert placed on your account. This will allow any bank or crediting institution to view an identity theft alert when viewing your credit file.

Additional Resources

Suffering a cyber-attack that hurts your investments can leave you with a lot to deal with. If you need any information or assistance in recovering your investment after a cyber-attack, contact our team.

Client Reviews

I am deeply grateful for the superb representation I received from Robert (Bert) Savage, at Savage Villoch Law representing me in my complex investment loss claim. Bert and the legal team at Savage Villoch Law were consistent and persistent from the start, understanding and pursuing my case and...

L. Nathan

Alfred Villoch is a very versatile individual. He's helped me in several parts of the law and was able to leverage his experience multiple times whether with corporate law or insurance. He takes the extra steps needed to not only ensure an iron clad proposal is offered but sees the value as a...

Simon

Over the years I have come to rely on the expertise of Robert "Bert" Savage in the most important matters concerning my business and my non profit organization. His knowledge and guidance has allowed me to take a more successful path than I would've chosen without him. He takes a genuine interest in...

Bob

If ever I have a legal question impacting my affairs I know I can turn to Alfred as a dependable resource. Accessing his high levels of varied expertise ensures I make decisions that shall contribute to favorable outcomes. He's extremely responsive and thoughtful in his advice, and is always...

Joy

Bert Savage has been a great help to myself and my company. He has demonstrated that he is very knowledgeable and effective, and seems to achieve a lot with the hours he bills. We are quite satisfied with his services and intend to continue our relationship with him. Highly recommended for any of...

William

Contact Us

  1. 1 Free Case Study
  2. 2 Over 40 Years of Combined Experience
  3. 3 No Fees Unless You Win

Fill out the contact form or call us at 813-200-0013 to schedule your free consultation.

Leave Us a Message