Cyber-attacks and data breaches can wreak havoc on companies and investors alike including financial, legal, operational, and reputational damage. As an illustration, on July 12, 2024, AT&T announced an update regarding the massive customer data breach, which included information that “was illegally downloaded from our workspace on a third-party cloud platform.” In the wake of AT&T’s disclosure that the calls and texts of nearly all of its wireless customers were hacked, its stock fell 0.5%.

Between November 2023 and April 2024 alone, a report confirmed that 6,845,908,997 known records were breached in 2,741 publicly disclosed incidents. According to IBM, the “global average cost of a data breach” increased 10% from 2023 to 2024, rising from $4.45 million to now $4.88 million. Consumers are bearing the brunt of these costs as confirmed by over half of the organizations IBM interviewed.

This brings us to the U.S. Securities and Exchange Commission (SEC) [1] and the Commodities Futures Trading Commission’s (CFTC) cybersecurity rules, which address cybersecurity from both a prevention and a disclosure vantage point. The overall objectives are to ensure that public companies, as well as auditors and connected third-party subcontractors, have secure technical, administrative, and physical safeguards implemented, protect sensitive information of both the entities and the individuals they serve, and diminish the residual impact on investors and the markets alike.

Cybersecurity is material for a variety of reasons, including that fact that the Cybersecurity & Infrastructure Security Agency (CISA) identified the Financial Services Sector and Government Services and Facilities Sector as two of sixteen critical infrastructure sectors. Every United States Government Agency has a hand in cybersecurity and rightly so – technology is integral to everyone’s personal and professional lives. For investors and whistleblowers alike, a key item to look at is company statements regarding cybersecurity compliance pre-breach.

As the cost of cybersecurity risks increases, investors, companies, and consumers will continue being impacted. SEC Chair Gary Gensler appropriately summed up cybersecurity and cyber-incidents. “Whether a company loses a factory in a fire – or millions of files in a cybersecurity incident – it may be material to investors.”

Rachel V. Rose is the Founder of Rachel V. Rose – Attorney at Law, PLLC

[1] Fraud by the Numbers analyzed the SEC’s new cybersecurity rule in 2023