As cybersecurity breaches have disrupted the operations and damaged the reputations of many well-known companies, government agencies like the Securities and Exchange Commission (SEC) have heightened oversight. As a result, there is a growing recognition that cybersecurity is not just a technical problem—it also poses challenges to public companies’ corporate governance and compliance processes.
The risks that security breaches of interconnected network systems pose to a company can be devastating. One out of every three Americans experienced some compromise of their personal information in 20181. For organizations that year, the average total cost of a data breach is $7.91 million, with a large breach of 1 million records costing $40 million and a mega breach of 50 million records costing over $350 million.2
These incidents represent material risks, and the SEC has made it clear that cybersecurity is an area where it intends to focus its enforcement resources. It has implemented a number of cyber-related programs, including an active “Cyber Unit” created in late 2017.3
The SEC views a failure to properly inform investors about a cyber-breach through the lens of not only securities law disclosure obligations, but also insider-trading rules. Its February 2018 Commission Guidance clarified that cybersecurity policies constitute disclosure controls, and corporate insiders may not trade while in possession of non-public information regarding a significant cyber-incident. The Guidance stated, “[It] is critical that public companies take all required actions to inform investors about material cybersecurity risks and incidents in a timely fashion, including those companies that are subject to material cybersecurity risks but may not yet have been the target of a cyberattack.”4
By reviewing controls, policies and procedures before an incident or an audit—and making required investments in training and infrastructure—companies can better protect themselves not only from damage to reputation and long-term valuation, but also significant regulatory disruptions.
Morgan Stanley teamed up with three leading experts in corporate governance—Stephen T. Giove, former partner at Shearman & Sterling, Michael L. Andresino, partner at Arent Fox LLP, and Thomas S. Brennan, also a partner at Arent Fox LLP—to provide guidelines for oversight, policies, procedures, disclosure controls and action steps to improve your approach to cybersecurity.
An organization reflects the priorities of its senior policymakers. The board of directors and senior management need a strong commitment to the corporate governance aspects of cybersecurity.
At least one member of the board must be able to understand, and convey to others, the data privacy and other cybersecurity risks the company faces.
Boards need to approach cybersecurity as an enterprise-wide issue with a robust risk-management framework, understand the legal implications, maintain regular access to cybersecurity expertise and have specific plans for which cyber-risks to avoid, accept, mitigate, or transfer through insurance.5
Cyber-risks and potential responses must become part of the mix of information that makes its way to the board. This may require increasing the standing of IT professionals, adding them to the senior leadership team, or otherwise facilitating their regular participation at the board level.
Train all your stakeholders to protect against cyberthreats and respond appropriately—before an incident occurs. Within your suite of governance, compliance and conduct policies, cybersecurity information should include specific details on handling customer and employee data, password protection, posting on social media, use of personal emails, devices and software, and clear lines of communication for questions and reporting issues.
Your insider-trading policy should educate employees that the discovery of a cyber-breach may constitute material non-public information.
Avoid the appearance of improper trading during the period between discovery and disclosure of a cyber-incident.6 To determine when to close your trading window, consider the extent to which an insider has an informational advantage over the market7 and the potential harm it could cause.
Review the list of employees covered under your insider-trading policy and ensure IT and information security officers are included.
One of the difficult aspects of cybersecurity compliance is the delay between a data breach or hacking event and its discovery, with further delays while the incident is evaluated, safeguards are implemented, damage is assessed, and response and recovery actions begin. The company’s insider-trading preclearance officer must be brought into these discussions as early and fully as possible.
In general, the window can open one or two business days after full disclosure of a cyber-incident. The more thinly traded the stock, the longer the recommended wait.
The SEC expects companies to have procedures in place to prevent selective disclosure of material non-public information. Your policy should address who is authorized to speak for the company and make everyone at your organization aware that cyber-events are potentially market-moving—including IT, information security and other employees who could be involved in a cyber-event.
Companies should regularly assess whether they have procedures in place to ensure information about cybersecurity risks is identified and reported up the corporate ladder.8 If possible, include representatives of the disclosure committee in the cybersecurity risk-management group.
The SEC expects disclosure procedures to cross functional lines within the company, with “open communications between technical experts and disclosure advisors” and “timely disclosures regarding such risks and incidents.”9
Your company likely already has a formal cyber-incident response plan, which can be leveraged for cybersecurity disclosure. Cyber-incident response plans generally classify the potential magnitude of an incident and provide for escalation of the company’s response based on that classification. Incidents exceeding a certain magnitude can automatically trigger the closing of a trading window or the implementation of additional measures to prevent selective disclosure.10
The intersection of cybersecurity, corporate governance and securities compliance raises a series of sometimes difficult questions. The sooner a company begins to address these challenges, rather than waiting for an incident to occur, the better.
With an end-to-end approach to workplace financial solutions, Morgan Stanley at Work provides a unique combination of thoughtful education, insightful advice and leading technology to help your workforce feel more invested and productive.