How Investors, Public Companies View SEC’s Cybersecurity Disclosure Requirements

Disclosure requirements can be a hassle for companies, but investors seek to understand material risks.

Reported by Matt Toledo

Art by Irene Servillo

 


Asset managers are investing in it for their operations. Investors are tracking information about it in their portfolio companies. Those companies are taking part in exercises to execute it.

In December 2023, the Securities and Exchange Commission’s new rules for public companies went into effect, regulating how companies disclose cybersecurity threats and breaches. The rules had been finalized by the SEC in July 2023.

As part of these disclosures, public companies must report material cybersecurity breaches within four business days of their occurrence, using Item 1.05 of Form 8-K. Investors use these disclosures to vet the cybersecurity practices of public companies, which can inform how vulnerable these companies are to data breaches or other digital issues.

As part of the disclosures, companies are required to disclose how these breaches affect their financials, valuable information to investors. Companies are required to annually disclose how they assess and manage material cybersecurity risks, as well as to detail the extent of board oversight over cybersecurity risks and the experience of management in addressing them.

According to an August report from ISS STOXX, the parent company of CIO, approximately 700 cybersecurity incidents were reported across companies in the Russell 3000 Index in 2022 and 2023.

“The SEC’s guidance advises that even if the full impact of an incident is not immediately clear, companies should provide investors with essential information about the incident’s nature, scope, and timing in the initial disclosure under Item 1.05,” according to the website of

Not Giving Anything Away

According to cybersecurity firm Varonis, many public companies do not want to reveal the capabilities of their cybersecurity protections to investors or potential attackers. “For companies whose cybersecurity programs are not up to par, disclosing their cyber capabilities will be a formidable task,” Rob Sobers, the chief marketing officer at Varonis, wrote in a December 2023 report. “Many companies are not ready to reveal the extent of their cyber capabilities to investors.”

Jennifer Minter, the corporate section chair at Buchanan Ingersoll, and Michael McLaughlin, the co-leader of the cybersecurity and data privacy practice group at Buchanan Ingersoll, say one example of public companies’ reluctance to reveal much about their cybersecurity practices is the recent CrowdStrike outage.

“Public companies impacted by this outage are working to balance providing sufficient disclosure to their stakeholders against potential future risk to their networks and concern that the street may overreact to disclosure that didn’t have a material impact on the company, despite the media coverage given to the event,” Minter says.

One issue that worries public companies about disclosing their cybersecurity practices, is that it could give insight to potential hackers. “The challenge for these companies is whether and how to report being affected by the outage—possibly giving malicious actors insights into their security controls that could result in future harm,” Minter says.  

But still, not disclosing enough could lead to regulatory scrutiny. “[The other possibility is] not providing robust disclosure in their 10-K regarding the event, [which would result in] being potentially subject to SEC review and comment or appearing to be less forthcoming than peer companies.”

The benefit of the disclosures still largely depends on how comprehensively companies communicate the nature and impact of cyber incidents, says Elizabeth Davis, senior director analyst at Gartner.

Do Investors Find Required Disclosures Valuable?

The goal of the SEC disclosures is to provide investors with information about the material risks associated with cyberattacks and to provide information about how companies are approaching these risks through their own practices.

A spokesperson for the California Public Employees’ Retirement System says that because the rules are relatively new, it will take time to assess their impact. Still, the fund has, in the past, been supportive of the SEC’s decision to implement cybersecurity disclosure requirements.

“We believe that all investors, whether large institutions or private individuals, should have access to disclosures that allow them to make informed proxy voting and investment decisions,” wrote CalPERS CEO Marcie Frost in a 2022 letter to the SEC supporting cybersecurity disclosure requirements.

The SEC disclosure rules have significantly increased transparency related to cybersecurity incidents involving public companies, says Marino Monti, chief information security officer at Voya Financial, but some issues still exist.

“It remains to be seen whether the right balance has been struck,” Monti says. “For instance, there is limited visibility into how often the national security or public safety exception has been used to withhold disclosure. Over the past 10 months, companies have disclosed more information than ever before, providing valuable insights into the types and descriptions of breaches they have encountered. This level of detail was not typically available to the public in the past.”

Monti says the disclosure rules have prompted many companies to strengthen their cybersecurity controls, benefiting the companies and their shareholders.

“On the other hand, there is ongoing concern about excessive enforcement risk, where regulators like the SEC may be indirectly regulating areas such as governance and operational risk management, which are not within their mandate of investor protection,” Monti says.

Keeping Up With Compliance and New Practices 

Asset management firms and asset owners themselves have increasingly boosted the resources they allocate to cybersecurity. According to a September 2023 Moody’s Ratings survey of 110 insurers and asset managers, cybersecurity spending increased more than 50% between 2019 and 2023.

According to a 2023 report on the largest 500 asset managers from the Thinking Ahead Institute at WTW, 77% of asset managers increased their resources committed to technology and big data in 2023, and 66% increased their resources committed to cybersecurity.

According to ISS STOXX’s August report, the number of public companies briefing their boards on cybersecurity rose to 98% in August from 35% in February as a result of the SEC cybersecurity disclosures.

Related Stories:

Cybersecurity M&A Balloons as Breach Danger Builds

Tags
Asset Management, Asset Owners, California Public Employees’ Retirement System, Cybersecurity, Jennifer Minter, Marcie Frost, Marino Monti, Michael McLaughlin, Rob Sobers, SEC, Securities and Exchange Commission,