Understanding Cybersecurity Risks
“In a digitally connected world, cybersecurity presents ongoing risks and threats to our capital markets and to companies operating in all industries, including public companies…”
The threat of cybercrime has become a major reality for business all over the world, and regulators say it will only become more prevalent.
As such, mitigating cybersecurity risks has become one of the prime points of focus for securities regulators. In addition to regulation and oversight, the SEC regularly informs and advises about common cybersecurity risks and related preventative measures.
SEC Report to Public Companies
The recent 24-page report provides an updated interpretation of the SEC’s stance on cybersecurity disclosure. The statement provides public companies with a clear understanding of how cybersecurity risks must be disclosed – particularly as they impact investors – per SEC regulations. The original report, published in 2011, described public companies’ obligations in disclosing cybersecurity threats but did not outline specific procedure.
In the wake of widespread scandals involving large-scale data breaches of public companies (Sony- 2014, Equifax- 2017), the SEC has deemed it necessary to provide public companies with a clearer understanding of what they are required to disclose to regulators as well as how it needs to happen.
It’s a system of checks-and-balances. If potential, or even actual, cybersecurity risks are left unchecked and/or undisclosed to regulators, there is
- Nothing that can be done to mitigate damage to investors/stakeholders
- No way to implement preventative measures/safeguards against future risk
This, in addition to the damage to reputation and potential legal consequences for businesses that fail to disclose risks properly.
So what does a public company’s disclosure of cybersecurity risks mean to you?
While the report is directed at public companies, there is information that you will find applicable as an investor. The most widespread (and costly) damages of cyber attacks is data loss; personal data: personnel records, shareholder information, account information. It’s the kind of stuff you don’t want getting into the wrong hands, especially if you are an investor. So, while a cybersecurity attack may be directed towards a public company, it’s investors that are getting hit.
While the report does have info you need to know, all 24 pages may not be exactly relevant to you. So to save you some time, we took a look at the full SEC report. We’re bringing you the main takeaways so you can understand what this means for you and your investments.
If you would like to take a look yourself, you can also read the full report here
Understanding Disclosure Guidelines
When you invest, what is one the biggest factors to consider?
R-I-S-K
Before you pull the trigger on any investment, you will want to know the risks. There are always going to be risks – that’s the name of the game – but for the most part, these should be accountable risks; ones you can anticipate. But what happens if certain risks are concealed from you and you are not equipped the resources to address them, should those risks become a threat?
That’s where disclosure laws come in. In any investment situation, whether you’re buying a house or securitized asset, you are entitled to a full disclosure of potential or real risks concerning that asset.
The same goes when you are considering an investment in a public company; you will want to know the material risks with which it is associated. It is standard procedure to review a company’s risk profile in order to assess its investment value. The issue prompting the SEC’s updated guidelines report is that, in light of the rising threat of cybercrime, there is not a great enough effort to properly disclose cybersecurity risks to investors.
Assessing Cybersecurity Risks
Before investing in a public company, make sure you have done a proper risk assessment including:
- Thorough review of your disclosure agreement
- Inquiry into cybersecurity risks and cyber-threats
The SEC guidelines spell-out specific circumstances in which a public company must disclose cybersecurity risks to investors including with the issuance of any periodic reports disclosing business operations, risk factors, legal proceeding and upon furnishment of material information necessary to make an investment decision.
Companies are not obligated to disclose cybersecurity frameworks or operations in order preserve existing security measures in the event of an attack.
Essentially, they need to provide you with actionable resources to make an informed investment decision as well as with the ability to respond in the event of a cyber attack.
What to Do if You Become the Victim of a Cyber-attack
If you find that one or more of your investment accounts has been compromised by a cyber-attack, there are a few things you need to do immediately:
Notify your financial institution and/or investment firm
Letting them know as soon as possible that one or may of your accounts may have been compromised will help them catch any out-of-place changes to the account. Make sure you document all discussions you have for reference.
Change all of your investment/financial account passwords and login codes
If you believe that your login information to any of your accounts may have been stolen, change your passwords immediately. If you use one password for multiple accounts, make sure you have changed all of them.
Close hacked accounts
You may want to consider speaking with your investment firm or advisor about closing your account and transferring assets to a new one if you notice suspicious activity.
Put a fraud alert on your credit profile
If you believe you have been the victim of identity theft, you can notify any one of the major credit reporting companies to have an initial fraud alert placed on your account. This will allow any bank or crediting institution to view an identity theft alert when viewing your credit file.
Additional Resources
Suffering a cyber-attack that hurts your investments can leave you with a lot to deal with. If you need any information or assistance in recovering your investment after a cyber-attack, contact our team.