The SEC’s New Take on Cybersecurity Risk Management
COMMENTARY
The advent of generative AI is surfacing new risks, significantly raising the stakes for businesses around the globe and for marketplace stability. In reaction to the logarithmic growth of cybercrime, the guidance and regulatory landscape is changing rapidly. While historically, the United States preferred frameworks over regulation, in 2023 there was a significant regulatory development: the introduction of new cybersecurity rules by the Securities and Exchange Commission (SEC). These rules for publicly traded companies focus on cybersecurity risk management, governance, and incident disclosure. Designed to enhance investor protection and market transparency, the SEC seeks to ensure timely and effective communication of events that affect the financial health or stability of publicly traded companies.
Under the new disclosure rules, registrants must report within four days any cybersecurity incident they have determined to have a “material impact,” meaning it could significantly affect the company’s operations or finances. Companies must therefore swiftly assess the nature and scope of the incident, including the type and volume of compromised data and the potential business, legal, or regulatory impacts.
As companies grapple with these new regulations, there are already important insights to be gleaned from the experiences of several major entities that have reported breaches and made disclosures. Here are three:
Clorox
In August 2023, Clorox experienced a severe cyberattack affecting the company’s automated order processing. This incident caused widespread disruption, resulting in delays in processing orders and significant product shortages, which adversely affected sales and earnings. By the end of 2023, Clorox incurred $49 million in costs due to the cyberattack, including losses from operational disruptions and payments to third parties enlisted to assist with the investigation and remediation. Its chief information security officer (CISO) was also no longer working for the company. Recent reports suggest that security audits had flagged issues for years. Clorox projected in its 8-K SEC filing that the attack’s financial impact would continue into fiscal year 2024. The company anticipates incurring additional costs ranging from $50 million to $60 million, related to the ongoing effects of the incident.
Prudential Financial
In February 2024, Prudential Financial reported a breach, though it came out largely intact. Prudential also adhered to SEC rules in its disclosures, but the company sought to get ahead by voluntarily reporting the incident before a material impact was determined. In its filings with the SEC, Prudential disclosed detecting unauthorized access to its infrastructure on Feb. 5. This breach involved “administrative and user data from certain IT systems” and impacted what the company said were a small percentage of employee and contractor accounts. The intrusion, which has since been attributed to the ALPHV ransomware gang, exposed the names, addresses, and personal identifiable information (PII) of 36,545 individuals. Prudential’s decision to file proactively with the SEC may signal a new trend toward disclosure prior to ascertaining materiality, with another filing after materiality is determined.
UnitedHealth
Most recently, UnitedHealth suffered a massive attack against its subsidiary Change Healthcare that breached millions of patients’ records and brought prescription fulfillment and claims processing to a standstill. UnitedHealth disclosed the attack on Feb. 21, and initially attributed it to a nation state, without determining materiality or specifying how many people were affected. UnitedHealth reported it was focused on restoring operations. Theincident severely impacted doctors and healthcare facilities that serve millions of Americans, including an estimated 30 million disadvantaged and uninsured people. The company did not disclose if the attackers demanded a ransom. But a post in an online hacker forum claimed UnitedHealth paid $22 million to regain access to its systems. UnitedHealth has since filed an amendment to its initial 8-K. Today, the company faces at least 24 lawsuits and extensive financial repercussions. UnitedHealth announced recently that it anticipates the cyberattack on Change Healthcare could cost the company as much as $1.6 billion, which some analysts argue is an understatement. Since revealing the attack, UnitedHealth’s stock price has dropped nearly 15%.
Lessons Learned
Each of the above cases offer guidance for further study. However, three early lessons are now on display for enterprise risk management:
-
You can’t disclose what you can’t see. Yet, willful blindness is not a working defense, as companies must now explain the details of breaches. That means companies should have continuous visibility into all their digital assets, prioritize handling misconfigurations, and address findings from security audits. Executives must have command over their digital estate and would benefit from using adversarial and disclosure thinking.
-
It’s critical to maintain transparency and do the basics right. Companies are always concerned about making inaccurate assessments. However, adopting conservative and proactive policy and technological measures can help mitigate many concerns. In particular, companies should be ready to revise disclosures with greater detail as available.
-
Prioritize sharing. Information sharing has proven its value for all sectors. The global marketplace benefits from exchanging insights on breaches and successful strategies. This exchange not only enhances security practices but also fosters a collaborative environment that accelerates the adoption of best practices, to the benefit of all in the fight against cybercrime.