What customers want and what regulators require - AWS Prescriptive Guidance

What customers want and what regulators require

As a control objective for the industry, the U.S. Securities and Exchange Commission (SEC) looks at the fairness of the deal, for the purchaser and for the target company, to ensure that there is no forced deal, fraud, or escaping regulatory liability.

Accordingly, the SEC guidance stated that corporations should consider disclosing material information about cyber risks, not only in general terms, but also on an incident-by-incident basis. The SEC suggested that a corporation, in determining the contours of its disclosure, should weigh the following factors:

  • Frequency and severity of prior cyber incidents

  • Probability of cyber incidents occurring; potential costs and consequences (for example, assets or sensitive information misappropriation, corruption of data, or disruption of operations)

  • Adequacy of preventative actions taken

  • Risk level of threatened attacks

The SEC further suggested that companies, within their corporate filings, might want to disclose the following, based on their circumstances and materiality:

  • Aspects of the registrant’s business or operations that give rise to material cybersecurity risks and the potential costs and consequences

  • Descriptions of any outsourced functions that might have material cybersecurity risks and how the registrant addresses those risks

  • Descriptions of cyber incidents experienced by the registrant that are individually, or in the aggregate, material, including a cost of incident and response, including investigation, penalties, and settlements

  • Risks related to cyber incidents that might remain undetected for an extended period

  • Description of cyber risk insurance policy coverage or any relevant risk transfer agreements

The SEC enforces rules for SEC-registered broker dealers and investment advisers, who are held accountable for protecting customer data and ensuring accuracy of cybersecurity disclosures. Although there is no explicit SEC rule for companies that aren’t following guidelines, the M&A and divestiture process will become very expensive and lengthy in these cases, especially if the seller company encountered a cyber incident and didn’t disclose the risks, or experienced changes in their stock price. The National Association of Corporate Directors (NACD) recommends that management retain external subject matter and legal expertise for their incident response plans, and receive updates regularly. For more information, see Cyber-Risk Oversight: Director’s Handbook Series (NACD, 2017).