The SEC has implemented new cybersecurity disclosure rules to enhance investor transparency, but companies are falling short in providing comprehensive information about the material impacts of cybersecurity incidents. This article explores the deficiencies in current disclosures and the need for companies to improve their compliance and transparency.
Shortcomings of Current Cybersecurity Disclosures
( Credit to: Forbes )
The recent implementation of new cybersecurity disclosure rules by the SEC aimed to enhance investor transparency. However, companies have been falling short in providing comprehensive information about the material impacts of cybersecurity incidents. This article explores the deficiencies in the current disclosures and the need for companies to improve their compliance and transparency.
( Credit to: Forbes )
Lack of Compliance with SEC Requirements
Despite notable companies making incident disclosures since the new rules came into effect, none of them are fully compliant with the SEC's requirements. While the companies have provided initial information about the incidents, they have failed to include details about the material impacts or reasonably likely material impacts, as mandated by the SEC. Furthermore, the disclosures solely focus on qualitative impacts, with no mention of any quantitative impacts such as revenue loss or share value decline.
This lack of disclosure regarding material impacts raises questions about why companies are making filings without providing this crucial information. For example, UnitedHealth Group disclosed an unauthorized intrusion, which Moody's deemed "credit negative" for the company. However, UnitedHealth Group has not provided any information on the material impacts or new details about the incident. Similarly, Microsoft's disclosure of executive email hacking raises concerns about potential exposure of strategic plans, financial projections, and third-party discussions.
Challenges in Compliance and Future Outlook
Complying with the new SEC rules presents unique challenges for each registrant as they must determine their own processes for compliance. The concept of materiality in the cybersecurity context is still evolving, and further guidance or regulation from the SEC is likely to be expected. Companies may face penalties for non-compliance, leading to the development of more structured processes. Additionally, institutional investors may exert pressure on boards to provide more details on how IT systems create and support value for the company, now that a regulatory baseline is in place.
The Importance of Material Impact Disclosure
The SEC's new cybersecurity disclosure rules aim to improve investor transparency regarding cybersecurity risks and incidents. However, the current disclosures made by companies have fallen short of the SEC's requirements, particularly in providing details about material impacts. It is crucial for companies to understand and communicate the far-reaching consequences of cybersecurity incidents to ensure investors are adequately informed. Further guidance and regulation from the SEC, along with increased pressure from stakeholders, are expected to drive improvements in compliance and transparency.
