Globally, companies are under increasing pressure to disclose cybersecurity breaches. It’s less and less an option to shove a breach under the table until you learn something truly horrific that must be disclosed.
Companies began to feel the increased pressure when the U.S. Securities and Exchange Commission published guidance in February 2018 telling firms to disclose the risk of cyber breaches in their SEC filings as well as the board’s role in overseeing cybersecurity risk management. The purpose was so that investors could assess how the board is “discharging its risk oversight,” according to a June 2018 Boardroom Perspectives from Latham & Watkins attorneys Jennifer Archie and Serrin Turner. The chief executive officer and the chief financial officer should also personally certify that they’ve reviewed the company’s disclosure controls.
All material events must be also disclosed—and an ongoing investigation is not a basis for avoiding disclosure, the SEC has said. If new and material information is revealed later, companies should consider updating the disclosures, according to Latham & Watkins. Companies also must take steps to ensure that insiders don’t trade on material information about a breach that hasn’t been disclosed to investors.
“The Commission considers omitted information to be material if there is a substantial likelihood that a reasonable investor would consider the information important in making an investment decision or that disclosure of the omitted information would have been viewed by the reasonable investor as having significantly altered the total mix of information available,” the guidance said.
In April 2018, the SEC hit Altaba, formerly known as Yahoo, with a $35 million fine—its largest cyber breach disclosure fine to date. The company failed to disclose a hack of customer data for nearly two years.
For companies doing business in Europe or with European customers, the European Union’s General Data Protection Regulation (GDPR) is even more specific than the SEC’s guidance. It requires companies to disclose a breach of personal data within 72 hours.
Of course, there’s also public pressure to disclose a breach quickly. The hotel chain Marriott International drew numerous complaints in 2018 after it failed to quickly report a breach of Starwood Hotels’ database, including customer passport numbers. At first, the company thought up to 500 million records were compromised and a breach had occurred as early as 2014. Then, the company corrected that to fewer than 383 million records involved after culling out duplicate records. Marriott announced on July 9, 2019, that UK regulators planned to fine it $124 million for violating GDPR rules; the company intends to contest the fine.
The trend is pretty clear. The criminals aren’t the only thing to worry about. There’s also the increased scrutiny from regulators and fines associated with breaches.