Cybersecurity and Corporate Governance: Guidelines for Mitigating Regulatory Risk

 

 

 

 

As cybersecurity breaches have disrupted the operations and damaged the reputations of many well-known companies, government agencies like the Securities and Exchange Commission (SEC) have heightened oversight. As a result, there is a growing recognition that cybersecurity is not just a technical problem—it also poses challenges to public companies’ corporate governance and compliance processes.

Cybersecurity as a Governance Challenge

The risks that security breaches of interconnected network systems pose to a company can be devastating. One out of every three Americans experienced some compromise of their personal information in 20181. For organizations that year, the average total cost of a data breach is $7.91 million, with a large breach of 1 million records costing $40 million and a mega breach of 50 million records costing over $350 million.2

These incidents represent material risks, and the SEC has made it clear that cybersecurity is an area where it intends to focus its enforcement resources. It has implemented a number of cyber-related programs, including an active “Cyber Unit” created in late 2017.3

The SEC views a failure to properly inform investors about a cyber-breach through the lens of not only securities law disclosure obligations, but also insider-trading rules. Its February 2018 Commission Guidance clarified that cybersecurity policies constitute disclosure controls, and corporate insiders may not trade while in possession of non-public information regarding a significant cyber-incident. The Guidance stated, “[It] is critical that public companies take all required actions to inform investors about material cybersecurity risks and incidents in a timely fashion, including those companies that are subject to material cybersecurity risks but may not yet have been the target of a cyberattack.”4

By reviewing controls, policies and procedures before an incident or an audit—and making required investments in training and infrastructure—companies can better protect themselves not only from damage to reputation and long-term valuation, but also significant regulatory disruptions.

Morgan Stanley teamed up with three leading experts in corporate governance—Stephen T. Giove, former partner at Shearman & Sterling, Michael L. Andresino, partner at Arent Fox LLP, and Thomas S. Brennan, also a partner at Arent Fox LLP—to provide guidelines for oversight, policies, procedures, disclosure controls and action steps to improve your approach to cybersecurity.

Oversight

1. Prioritize Cybersecurity

An organization reflects the priorities of its senior policymakers. The board of directors and senior management need a strong commitment to the corporate governance aspects of cybersecurity.

2. Understand the Risks

At least one member of the board must be able to understand, and convey to others, the data privacy and other cybersecurity risks the company faces.

3. Ensure Board Oversight

Boards need to approach cybersecurity as an enterprise-wide issue with a robust risk-management framework, understand the legal implications, maintain regular access to cybersecurity expertise and have specific plans for which cyber-risks to avoid, accept, mitigate, or transfer through insurance.5

4. Include IT Executives

Cyber-risks and potential responses must become part of the mix of information that makes its way to the board. This may require increasing the standing of IT professionals, adding them to the senior leadership team, or otherwise facilitating their regular participation at the board level.

Policies and Procedures

1. Guide Your Employees

Train all your stakeholders to protect against cyberthreats and respond appropriately—before an incident occurs. Within your suite of governance, compliance and conduct policies, cybersecurity information should include specific details on handling customer and employee data, password protection, posting on social media, use of personal emails, devices and software, and clear lines of communication for questions and reporting issues.

2. Clarify Insider-Trading Policies

Your insider-trading policy should educate employees that the discovery of a cyber-breach may constitute material non-public information.

3. Define the Insider-Trading Window

Avoid the appearance of improper trading during the period between discovery and disclosure of a cyber-incident.6 To determine when to close your trading window, consider the extent to which an insider has an informational advantage over the market7 and the potential harm it could cause.

4. Vet Your Preclearance List

Review the list of employees covered under your insider-trading policy and ensure IT and information security officers are included.

5. Bring Your Insider-Trading Preclearance Officer Into the Loop

One of the difficult aspects of cybersecurity compliance is the delay between a data breach or hacking event and its discovery, with further delays while the incident is evaluated, safeguards are implemented, damage is assessed, and response and recovery actions begin. The company’s insider-trading preclearance officer must be brought into these discussions as early and fully as possible.

6. Wait Before Opening the Trading Window

In general, the window can open one or two business days after full disclosure of a cyber-incident. The more thinly traded the stock, the longer the recommended wait.

7. Extend Your Regulation Fair Disclosure (Reg FD) Program

The SEC expects companies to have procedures in place to prevent selective disclosure of material non-public information. Your policy should address who is authorized to speak for the company and make everyone at your organization aware that cyber-events are potentially market-moving—including IT, information security and other employees who could be involved in a cyber-event.

Control

1. Securities Disclosure Compliance

Companies should regularly assess whether they have procedures in place to ensure information about cybersecurity risks is identified and reported up the corporate ladder.8 If possible, include representatives of the disclosure committee in the cybersecurity risk-management group.

2. Include Technology Personnel

The SEC expects disclosure procedures to cross functional lines within the company, with “open communications between technical experts and disclosure advisors” and “timely disclosures regarding such risks and incidents.”9

3. Piggyback on Existing Risk Infrastructure

Your company likely already has a formal cyber-incident response plan, which can be leveraged for cybersecurity disclosure. Cyber-incident response plans generally classify the potential magnitude of an incident and provide for escalation of the company’s response based on that classification. Incidents exceeding a certain magnitude can automatically trigger the closing of a trading window or the implementation of additional measures to prevent selective disclosure.10

Take Action

The intersection of cybersecurity, corporate governance and securities compliance raises a series of sometimes difficult questions. The sooner a company begins to address these challenges, rather than waiting for an incident to occur, the better.

With an end-to-end approach to workplace financial solutions, Morgan Stanley at Work provides a unique combination of thoughtful education, insightful advice and leading technology to help your workforce feel more invested and productive.

Connect with Us

Learn more how we can help your organization. Fill out the form below and a representative will get back to you.







All Fields Required

1 Business Wire, October 17, 2018, https://www.businesswire.com/news/home/20181017005273/en/Data-Releases-Cybersecurity-Study-Personally-Identifiable-Information
2 2018 Cost of a Data Breach Study: Benchmark research sponsored by IBM Security, July 2018, https://www.ibm.com/downloads/cas/861MNWN2
3 Securities and Exchange Commission, Division of Enforcement, 2018 Annual Report (“SEC Enforcement Annual Report”).
4 Securities and Exchange Commission, “Commission Statement and Guidance on Public Company Cybersecurity Disclosures,” Release Nos. 33-10459; 34-82746, February 21, 2018 (“Cybersecurity Release”).
5 National Association of Corporate Director's, “Cyber-Risk Oversight,” Directors Handbook Series, page 4
6 Cybersecurity Release, page 22
7 The Corporate Counsel, Vol. XLIII, No. 5, September-October 2018 (the “Corporate Counsel”), page 2
8 Cybersecurity Release, page 18
9 Cybersecurity Release, page 20
10 The Corporate Counsel, pages 2-3

© 2020 Morgan Stanley Smith Barney LLC. Member SIPC.

CRC#3284789 (10/2020)