Technology Services • Published 3/20/2018 SEC Issues Guidance on Cybersecurity for Public Companies

Companies that fall victim to cybersecurity attacks can incur substantial costs and public companies are not immune to it. In today’s world, public companies rely on digital technology to do business with their customers and partners. These digital technologies and networked systems present unique cyber risks and without the proper protection, companies can be the target of the next cyber threat.

On February 21, 2018, the Securities and Exchange Commission (SEC) issued a guidance statement on Public Company Cybersecurity Disclosures. The “Guidance” serves to warn public companies that there is a need to enhance cybersecurity risk assessment and reporting programs.

The most impactful information contained in the guidance statement revolves around the need to report on the costs associated with a reporting material cybersecurity risk and breach cost on a periodic basis.

Why Traditional Risk Management No Longer Works

Traditional risk management strategies have not included a mechanism for assigning a value to risk. NIST and COBIT, ISO, etc., can assist in rating risk to the organization and help prioritize response, but there is no inclusion of monetary impact in those frameworks. Luckily, there are processes that can augment existing frameworks and allow companies to assign a monetary value to risks, as well as the efforts associated with cybersecurity risk management and response.

Areas of Evaluation

When determining what areas should be evaluated for fiscal impact, the guidance statement suggests public companies contemplate the following issues, among others, in evaluating cybersecurity risk factors and what information should be included in the disclosure:

• The occurrence of prior cybersecurity incidents, with severity and frequency
• The probability of the occurrence and potential magnitude of cybersecurity incidents
• The adequacy of preventative actions taken to reduce cybersecurity risks, and the associated costs, and where appropriate, the limits of the company’s ability to prevent or mitigate certain cybersecurity risks
• The aspects of the company’s business and operations that give rise to material cybersecurity risks and the potential costs and consequences of such risks, including industry-specific risks and third-party supplier and service provider risks
• The costs associated with maintaining cybersecurity protections, including, if applicable, insurance coverage relating to cybersecurity incidents or payments to service providers
• The potential for reputational harm
• Existing or pending laws and regulations that may affect the requirements (and costs) to which companies are subject relating to cybersecurity
• Cybersecurity incident litigation, regulatory investigation, and remediation costs

Identifying Your Cybersecurity Risks

Risks identified through your cybersecurity program (and the management of those risks) represent real, equivalent business risks with material impact. If you need assistance in defining your cybersecurity risks in financial terms, please contact us at info@pncpa.com or visit one of our Postlethwaite & Netterville (P&N) locations.

To access the full guidance statement: click here.