Executive Accountability for Internal Cybersecurity Disclosure

Companies face a multitude of risks and threats. Reporting them to stakeholders and investors is a requirement, and serious consequences may ensue for a failure to do so – for the company and, increasingly, for business leaders. It’s a liability no company wants and a personal disaster no executive wishes to encounter. To prevent such catastrophes for the latter, individuals need to understand how they may be accountable.

For public companies, disclosing business risks has long been mandatory on periodic reports, such as annual reports, 10-K forms, quarterly 10-Qs and 8-K current incident reports as needed.

As technology has become not only the primary offering of many companies, but also the norm for business operations and financial management, external risks, such as security breaches and cyberattacks, have been included in in the Security and Exchange Commission’s (SEC) risk reporting requirements.

SEC Guidance

In the February 2018 Commission Statement and Guidance on Public Company Cybersecurity Disclosures, the SEC provides guidance to assist companies in disclosing cybersecurity risks, saying that “cybersecurity incidents can result from unintentional events or deliberate attacks by insiders or third parties, including cybercriminals, competitors, nation-states and ‘hacktivists.’” Although clearly listed, how often do companies disclose internal security vulnerabilities as part of their cybersecurity risks, and what’s the impact if they don’t reveal them – or if they don’t catch them?

Internal threats due to weak controls of employees’ access to business and financial systems have become a primary risk; some accounts state that insider attacks make up 75 percent of all cybersecurity threats. Insufficient controls may result, for instance, in intentional fraud, destruction of financial assets, stealing and revealing of sensitive company data and nonmalicious mishaps. Such events can be quite damaging in respect to monetary losses, but that’s not all. Negative consequences reported in the Commission’s guidelines may also include:

• remediation costs, such as liability for stolen assets or information, repairs of system damage and incentives to customers or business partners in an effort to maintain relationships after an attack;
• increased cybersecurity protection costs, which may include the costs of making organizational changes, deploying additional personnel and protection technologies, training employees and engaging third-party experts and consultants;
• lost revenues resulting from the unauthorized use of proprietary information or the failure to retain or attract customers following an attack;
• litigation and legal risks, including regulatory actions by state and federal governmental authorities and non-U.S. authorities;
• increased insurance premiums;
• reputational damage that adversely affects customer or investor confidence; and
• damage to the company’s competitiveness, stock price and long-term shareholder value.

However, it turns out the damages may also be more personal, as the SEC states holding individuals accountable as a key pillar of their enforcement program.

To understand the personal liability potential, consider what the SEC warns about internal risk reporting:

Disclosure Controls

Companies are advised that it is critical to have disclosure controls and procedures to provide an appropriate method of discerning the impact such matters may have on the company and its business, financial condition and results of operations.” To disclose risks, a company must know what they are, and a failure to have controls that can spot risks could mean negligence on the part of a company or its executives.

Risk and Incident Reporting

Controls to identify risks and internal cybersecurity incidents are the tools to help a company know what risks exist, but disclosure means also communicating those risks or incidents to the SEC once they are known. To not do so, or to not do so accurately, is withholding vital information from investors – a clear violation. Additionally, a company must disclose the concomitant financial, legal or reputational consequences of a cybersecurity incident.

Insider Trading

The Commission specifically points out that directors, officers and other corporate insiders must not trade a company’s securities if they have knowledge of cybersecurity incidents before they are reported. This includes the reporting of insider risks or incidents.

Focus on Individual Accountability

In the SEC’s November 2018 Division of Enforcement annual report, the Commission highlights its heightened focus on individual accountability: “Holding individuals accountable for wrongdoing is a key pillar of any strong enforcement program. Institutions act only through their employees, and holding culpable individuals responsible for wrongdoing is essential to achieving our goals of general and specific deterrence and protecting investors by removing bad actors.” In FY 2018, the Commission charged individuals in more than 70 percent of the stand-alone enforcement actions it charged. Those charged included numerous CEOs and CFOs, as well as accountants, auditors and other gatekeepers.

Ensuring Effective Controls

To keep a company and its executives safe, businesses need to follow the guidelines set forth by the Commission and “should assess whether they have sufficient disclosure controls and procedures in place to ensure that relevant information about cybersecurity risks and incidents is processed and reported to the appropriate personnel, including up the corporate ladder” and to the SEC.

Protecting company assets translates not only into preventing company harm, but also keeping executives free from personal liability. Technology may run most companies today, but when it comes to disclosure controls, technology is also at the forefront of safeguarding a business, its systems and its valued talent.