No Result
View All Result
SUBSCRIBE | NO FEES, NO PAYWALLS
MANAGE MY SUBSCRIPTION
NEWSLETTER
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
Corporate Compliance Insights
Home Featured

Executive Accountability for Internal Cybersecurity Disclosure

Are You at Risk?

by Jody Paterson
March 8, 2019
in Featured, Risk
red padlock button on microchip background

ERP Maestro’s CEO Jody Paterson discusses cybersecurity risk disclosure and compliance and how executives are being held more personally accountable for nondisclosure as outlined by the SEC.

Companies face a multitude of risks and threats. Reporting them to stakeholders and investors is a requirement, and serious consequences may ensue for a failure to do so – for the company and, increasingly, for business leaders. It’s a liability no company wants and a personal disaster no executive wishes to encounter. To prevent such catastrophes for the latter, individuals need to understand how they may be accountable.

For public companies, disclosing business risks has long been mandatory on periodic reports, such as annual reports, 10-K forms, quarterly 10-Qs and 8-K current incident reports as needed.

As technology has become not only the primary offering of many companies, but also the norm for business operations and financial management, external risks, such as security breaches and cyberattacks, have been included in in the Security and Exchange Commission’s (SEC) risk reporting requirements.

SEC Guidance

In the February 2018 Commission Statement and Guidance on Public Company Cybersecurity Disclosures, the SEC provides guidance to assist companies in disclosing cybersecurity risks, saying that “cybersecurity incidents can result from unintentional events or deliberate attacks by insiders or third parties, including cybercriminals, competitors, nation-states and ‘hacktivists.’” Although clearly listed, how often do companies disclose internal security vulnerabilities as part of their cybersecurity risks, and what’s the impact if they don’t reveal them – or if they don’t catch them?

Internal threats due to weak controls of employees’ access to business and financial systems have become a primary risk; some accounts state that insider attacks make up 75 percent of all cybersecurity threats. Insufficient controls may result, for instance, in intentional fraud, destruction of financial assets, stealing and revealing of sensitive company data and nonmalicious mishaps. Such events can be quite damaging in respect to monetary losses, but that’s not all. Negative consequences reported in the Commission’s guidelines may also include:

  • remediation costs, such as liability for stolen assets or information, repairs of system damage and incentives to customers or business partners in an effort to maintain relationships after an attack;
  • increased cybersecurity protection costs, which may include the costs of making organizational changes, deploying additional personnel and protection technologies, training employees and engaging third-party experts and consultants;
  • lost revenues resulting from the unauthorized use of proprietary information or the failure to retain or attract customers following an attack;
  • litigation and legal risks, including regulatory actions by state and federal governmental authorities and non-U.S. authorities;
  • increased insurance premiums;
  • reputational damage that adversely affects customer or investor confidence; and
  • damage to the company’s competitiveness, stock price and long-term shareholder value.

However, it turns out the damages may also be more personal, as the SEC states holding individuals accountable as a key pillar of their enforcement program.

To understand the personal liability potential, consider what the SEC warns about internal risk reporting:

Disclosure Controls

Companies are advised that it is critical to have disclosure controls and procedures to provide an appropriate method of discerning the impact such matters may have on the company and its business, financial condition and results of operations.” To disclose risks, a company must know what they are, and a failure to have controls that can spot risks could mean negligence on the part of a company or its executives.

Risk and Incident Reporting

Controls to identify risks and internal cybersecurity incidents are the tools to help a company know what risks exist, but disclosure means also communicating those risks or incidents to the SEC once they are known. To not do so, or to not do so accurately, is withholding vital information from investors – a clear violation. Additionally, a company must disclose the concomitant financial, legal or reputational consequences of a cybersecurity incident.

Insider Trading

The Commission specifically points out that directors, officers and other corporate insiders must not trade a company’s securities if they have knowledge of cybersecurity incidents before they are reported. This includes the reporting of insider risks or incidents.

Focus on Individual Accountability

In the SEC’s November 2018 Division of Enforcement annual report, the Commission highlights its heightened focus on individual accountability: “Holding individuals accountable for wrongdoing is a key pillar of any strong enforcement program. Institutions act only through their employees, and holding culpable individuals responsible for wrongdoing is essential to achieving our goals of general and specific deterrence and protecting investors by removing bad actors.” In FY 2018, the Commission charged individuals in more than 70 percent of the stand-alone enforcement actions it charged. Those charged included numerous CEOs and CFOs, as well as accountants, auditors and other gatekeepers.

Ensuring Effective Controls

To keep a company and its executives safe, businesses need to follow the guidelines set forth by the Commission and “should assess whether they have sufficient disclosure controls and procedures in place to ensure that relevant information about cybersecurity risks and incidents is processed and reported to the appropriate personnel, including up the corporate ladder” and to the SEC.

Protecting company assets translates not only into preventing company harm, but also keeping executives free from personal liability. Technology may run most companies today, but when it comes to disclosure controls, technology is also at the forefront of safeguarding a business, its systems and its valued talent.


Tags: Cyber RiskReputation RiskSECYates Memo/Personal Liability
Previous Post

Liar, Liar, Pants on Fyre

Next Post

Is Data Compliance Equal to Data Security?

Jody Paterson

Jody Paterson

Jody Paterson is a trusted governance, risk and compliance advisor and thought leader who is a Certified Information Security Specialist (CISSP), a Certified Information Security Auditor (CISA), a KPMG veteran and founder of ERP Maestro.  

Related Posts

SEC emblem on building exterior

The Rise of a New FINRA Risk & How to Navigate It

by Sarah Hutchins and Corri Hopkins
May 31, 2023

Reg BI says brokers should act in the best interest of their retail customers, but are they? Sarah Hutchins and...

moby dick illustration

Whaling: When Business Leaders Become Cyber Weapons

by Aileen Allkins
May 24, 2023

The threat of cyber crime is nothing new for the average business. But new tools like AI mean fraudsters have...

whats app signal gmail phone icons

Companies Are Cracking Down on Chat Apps, But It’s Still Too Hard to Find What They’re Looking For

by Stacey English
May 24, 2023

A hybrid communication environment has become the norm for most companies, from the use of messaging apps to communication systems....

finserv whatsapp

Survey: Only 3% of Compliance Officers Confident About Effectiveness of Off-Channel Comms Ban

by Staff and Wire Reports
May 18, 2023

Despite widespread efforts to ban problematic communication apps like WhatsApp and WeChat, only 3% of compliance leaders strongly believe those...

Next Post
illustration of GDPR circling the globe

Is Data Compliance Equal to Data Security?

Compliance Job Interview Q&A

Jump to a Topic

AML Anti-Bribery Anti-Corruption Artificial Intelligence (AI) Automation Banking Board of Directors Board Risk Oversight Business Continuity Planning California Consumer Privacy Act (CCPA) Communications Management Corporate Culture COVID-19 Cryptocurrency Culture of Ethics Cybercrime Cyber Risk Data Analytics Data Breach Data Governance DOJ Download Due Diligence Enterprise Risk Management (ERM) ESG FCPA Enforcement Actions Financial Crime Financial Crimes Enforcement Network (FinCEN) GDPR HIPAA Know Your Customer (KYC) Machine Learning Monitoring RegTech Reputation Risk Risk Assessment Sanctions SEC Social Media Risk Supply Chain Technology Third Party Risk Management Tone at the Top Training Whistleblowing
No Result
View All Result

Privacy Policy

Founded in 2010, CCI is the web’s premier global independent news source for compliance, ethics, risk and information security. 

Got a news tip? Get in touch. Want a weekly round-up in your inbox? Sign up for free. No subscription fees, no paywalls. 

Follow Us

Browse Topics:

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks Published by CCI
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • On Demand Webinars
  • Opinion
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Well-Being
  • Whitepapers

© 2022 Corporate Compliance Insights

No Result
View All Result
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe

© 2022 Corporate Compliance Insights

Welcome to CCI. This site uses cookies. Please click OK to accept. Privacy Policy
Cookie settingsACCEPT
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
SAVE & ACCEPT