SEC’s New Cybersecurity Disclosure Rule Targets Increasing Risk
What do such recognizable companies as T-Mobile, ChatGPT, Chick-fil-A, Google Fi, and MailChimp all have in common? These companies (alongside many others) have all been victims of major data breaches so far this year.[1]
In an increasingly digital landscape, the threat of cyberattacks has emerged as a pressing concern for businesses and investors alike, carrying the potential to disrupt business operations and diminish investor trust. The U.S. Securities and Exchange Commission has responded by implementing a new cybersecurity rule requiring public companies and some foreign issuers to disclose material cybersecurity incidents, as well as annual disclosure of information regarding cybersecurity risk management, strategy, and governance.[2]
The Rule recognizes the vital importance of transparent and comprehensive reporting of cyberattacks and their potential impact on companies. The financial toll of cyberattacks cannot be underestimated. The cost of cybercrime includes expenses related to recovery, legal fees, reputation management, and potential regulatory fines. In 2022, the FBI’s Internet Crime Complaint Center received 800,944 complaints, and reported over $10.3 billion in losses related to cybercrime. Of that, $3.3 billion in losses stemmed from investment fraud, an increase of 127% from the previous year. The losses from cryptocurrency cyber fraud, a major enforcement focus for the SEC, rose to $2.57 billion in 2022, from $907 million in 2021. And the global average cost of a data breach reached an all-time high of $4.45 million in 2023.
The growing frequency of cyberattacks is also a stark reminder of the pervasive threat they pose to businesses and investors alike. In 2022, cyberattacks reached an all-time high in response to the Russo-Ukrainian war. Overall, global cyberattacks increased by 38% in 2022 compared to the prior year. And a 2007 study done by the Clark School at the University of Maryland found that on average, a cyberattack occurs every 39 seconds. This frequent onslaught can disrupt operations and ultimately damage businesses and their assets.
The impact of cyberattacks extends beyond immediate financial losses for companies and investors. Companies also face the risk of diminished confidence from customers and investors in the aftermath of a breach.
With the SEC’s cybersecurity disclosure rule in place, investors can gain insight into a company’s cybersecurity posture, helping them assess potential risks and rewards more accurately. It underscores the need for transparent and comprehensive reporting of cyber threats, their associated costs, frequency, and implications. By doing so, the rule empowers investors to make informed decisions and encourages companies to bolster their cybersecurity measures, ultimately fostering a more secure investment landscape.
Emily Stabile is a Partner at Phillips & Cohen
[1] https://www.sec.gov/ix?doc=/Archives/edgar/data/0001283699/000119312523010949/d641142d8k.htm (T-Mobile); https://apps.web.maine.gov/online/aeviewer/ME/40/ea3bf342-eca7-4833-b128-7b09f6893ac4.shtml (T-Mobile); https://openai.com/blog/march-20-chatgpt-outage (ChatGPT); https://www.al.com/news/2023/03/chick-fil-a-data-breach-confirmed-what-customers-should-do-now.html (Chick-fil-a); https://gizmodo.com/google-fi-hacked-t-mobile-data-breach-what-do-i-do-1850055068 (GoogleFi); https://www.bleepingcomputer.com/news/security/mailchimp-discloses-new-breach-after-employees-got-hacked/ (MailChimp).