Light Dark
February 27, 2018 By Christophe Veltsos 4 min read
Risk Management
CISO
Government
Incident Response

“Today, the importance of data management and technology to business is analogous to the importance of electricity and other forms of power in the past century.” — SEC Commission Statement and Guidance on Public Company Cybersecurity Disclosures

On Feb. 21, 2018, the U.S. Securities and Exchange Commission (SEC) released updated guidance on cybersecurity disclosure for public companies. The agency updated the document’s previous language, which was released in 2011, regarding cyber risks and their impact on investment decisions.

SEC Sets New Standards for Cybersecurity Disclosure

In a press release announcing the update, SEC Chairman Jay Clayton shared his aim to ensure that companies provide “more complete information” to investors about cyber risks and incidents. He also urged companies to “examine their controls and procedures, with not only their securities law disclosure obligations in mind, but also reputational considerations around sales of securities by executives.” Specifically, the SEC guidance cautioned companies to “avoid the appearance of improper trading during the period following an incident and prior to the dissemination of disclosure.” It also pointed to Regulation FD, which covers disclosures to outside entities such as brokers and dealers, investment advisers and others who might reasonably be expected to trade based on privileged information.

However, the main focus of the updated SEC guidance is the need for board directors and company executives to review their controls and procedures to ensure that their cybersecurity disclosure responsibilities are properly discharged. Pointing to the increasing frequency, magnitude and cost of cyber incidents, the document stated that public companies should “take all required actions to inform investors about material cybersecurity risks and incidents in a timely fashion, including those companies that are subject to material cybersecurity risks but may not yet have been the target of a cyberattack.”

In addition, the SEC guidance made it clear that if investors are kept in the dark about security incidents, not only should companies expect class action suits, but they’ll have the SEC on their backs as well. In the agency’s words, the SEC “continues to monitor cybersecurity disclosures carefully.”

Impact for Board Directors: Focus on Disclosure

The SEC document noted that the responsibility for clear and expedient disclosure falls squarely on the shoulders of board directors. The board is responsible for ensuring that the organization has appropriate disclosure controls and procedures “to make accurate and timely disclosures of material events.” This helps investors grasp the impact of a cyber incident on the organization and its business, finances, operations and, of course, liability.

The issue of disclosure is further complicated by the need to detect an incident, properly handle the company’s response, recover operations and ensure that all stakeholders are properly notified, from the incident response team all the way to the board. Furthermore, the document stated that the ongoing status of an investigation does not exempt organizations from having to disclose a material security incident. The commission also advised organizations to provide specific information that is meaningful to investors in incident reports.

Impact for Board Directors: Oversight of Cyber Risks

The guidance explained that threat actors have different motives, from financial gain to hacktivism, and that security incidents can also happen due to malicious or negligent insiders. In addition, the consequences of cyberattacks can take many forms, from lost business to reputational damage, strained relationships with suppliers and clients, fines, lawsuits and more.

The SEC emphasized that a breached organization must “disclose the extent of its board of directors’ role in the risk oversight of the company, such as how the board administers its oversight function and the effect this has on the board’s leadership structure.” With this language, it would be extremely difficult for board directors to avoid their responsibility to engage with the C-suite to ensure that cyber risks are managed effectively. In other words, the days of putting your head in the sand are finally over, although most organizations have already phased out this approach.

This can be an opportune time for boards to increase their engagement regarding cyber risks, starting with a review of where the chief information security officer (CISO) sits on the organizational chart and how well cyber risks are integrated into a larger enterprise risk management (ERM) framework. Boards should also review their organization’s three lines of defense and, if need be, get a second opinion from an external source about the effectiveness of the cyber risk management program.

Impact for CISOs: Collaboration and Communication

Like directors are in the crosshairs of the SEC, so too will CISOs be in the crosshairs of board directors. Security leaders need to step up and provide mechanisms to discern the impact and “potential materiality” of cyber risks.

For some CISOs, this will require increased collaboration and cooperation with chief risk officers (CROs) to determine more accurate, timely and objective ways to evaluate and communicate cyber risks. It will also invite increased scrutiny of the organization’s risk management program, both by the C-suite and the board. CISOs should aim to simplify their dashboard, create that elusive single pane of glass and ensure that their communications with board directors are clear and effective.

In other words, when it comes to reporting on cyber risks, CISOs should review the accuracy and timeliness of their reports and ensure that the communications are:

  1. Appropriate and relevant to their audience;

  2. Grounded in a business mindset;

  3. Based on quality data; and

  4. Transparent about weak or unverified data.

The last point is specifically mentioned in the SEC guidance, which noted that any untrue or misleading disclosures need to be corrected quickly at the next possible iteration.

Overall, the updated SEC guidance set the bar a little higher and provided clear reminders — or, when needed, warnings — about the responsibilities of management and the board regarding cybersecurity disclosure.

 |  |  |  |  |  |  | 
Christophe Veltsos
InfoSec, Risk, and Privacy Strategist - Minnesota State University, Mankato

More from Risk Management
January 28, 2025

4 trends in software supply chain security

4 min read - Some of the biggest and most infamous cyberattacks of the past decade were caused by a security breakdown in the software supply chain. SolarWinds was probably the most well-known, but it was not alone. Incidents against companies like Equifax and tools like MOVEit also wreaked havoc for organizations and customers whose sensitive information was compromised.Expect to see more software supply chain attacks moving forward. According to ReversingLabs' The State of Software Supply Chain Security 2024 study, attacks against the software…

January 24, 2025

How cyberattacks on grocery stores could threaten food security

4 min read - Grocery store shoppers at many chains recently ran into an unwelcome surprise: empty shelves and delayed prescriptions. In early November, Ahold Delhaize USA was the victim of a cyberattack that significantly disrupted operations at more than 2,000 stores, including Hannaford, Food Lion and Stop and Shop. Specific details of the nature of the attack have not yet been publicly released.Because the attack affected many digital systems, some stores were not able to accept credit/debit cards, while others had to shut…

January 23, 2025

Taking the fight to the enemy: Cyber persistence strategy gains momentum

4 min read - The nature of cyber warfare has evolved rapidly over the last decade, forcing the world’s governments and industries to reimagine their cybersecurity strategies. While deterrence and reactive defenses once dominated the conversation, the emergence of cyber persistence — actively hunting down threats before they materialize — has become the new frontier. This shift, spearheaded by the United States and rapidly adopted by its allies, highlights the realization that defense alone is no longer enough to secure cyberspace.The momentum behind this…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2025 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature