On Time Tech

What Are The SEC’s Guidelines For Public And Private Company Cybersecurity?

Written by Lance Stone | Sep 7, 2018 3:04:00 PM

Hand-in-hand with an increased reliance on the internet and networked systems comes to an increased risk for cyber-attacks. Whether conducted unintentionally or deliberately, cybersecurity incidents can wreak havoc on a company’s bottom line, bringing a wide range of consequences with the capability to do long-term harm to companies big and small.

For this reason, the U.S. Securities & Exchange Commission has required public companies to follow a particular set of guidelines and procedures to combat the countless number of cybercriminals scouring the internet in search of opportunities.

Cybersecurity threats and risks are ever changing, and according to the SEC, public companies need to do all they can to prevent attacks. While there exists a world of difference between public and private companies in regard to rules and regulations and how they operate, the two may often encounter the same challenges in regard to cybersecurity. This is why, while unregulated by the SEC, private companies can’t afford to ignore what’s recommended to prevent and combat cyber incidents.

In order to educate and provide support to public companies about the risks associated with cyber attacks, the SEC has introduced a cybersecurity information website containing a variety of tools to be used by companies large and small. These include alerts, compliance toolkits, educational resources and other information pertinent to cyber security and its potential effects on today’s businesses.

What Can Companies Do To Address Cyber Risks?

The SEC has some important tips for businesses to follow if they’re hoping to steer clear of cyber attacks. And in the cases where it’s too late, there is a set of procedures businesses should implement to help minimize damage once an attack hits.

The website covers a wide variety of cyber-related misconduct, including market manipulation through false information, intrusions, hacking and attacks on market infrastructure and trading platforms. According to the SEC, here are a few things private companies must do in order to effectively manage their cybersecurity risk.

Prioritize Policies

An effective set of policies and procedures for dealing with cybersecurity is vital in today’s business world, especially during a time where cybercriminals are acquiring new skills and targets by the day. Companies must be able to identify cybersecurity risks, analyze their impact, and offer open communications with tech experts who can help implement preventative measures and damage control.

There should also be a protocol to help determine the potential risks and materiality of cybersecurity incidents. It’s important for companies to assess compliance with these policies on a regular basis, as well as ensure a proper set of procedures that conveys important information to the necessary personnel.

Necessary Disclosure

Conveying cybersecurity risks and breaches to the appropriate parties is of the utmost importance for public companies, though private companies would do well to follow a similar structure of command. A company’s top directors, officers and other parties responsible for implementing these cyber controls and procedures should be informed of the potential risks in order to develop an effective plan for prevention. And while management’s role in overseeing cybersecurity is indisputable, there are other parties that must be involved.

Combatting Insider Trading

Once a system has been infiltrated by a cyber attack, timing is crucial. The SEC states that companies must have a set of procedures in place to prevent insiders, such as company directors and officers, from taking advantage of the sensitive time between discovery of an attack or cybersecurity incident and the time it is disclosed to investors. It may even be appropriate to halt transfers in the event of an ongoing investigation of a particular cybersecurity incident.

What Are The Risks?

The risks of a cyber attack are varied and depend largely upon an individual company’s IT structure. When evaluating cybersecurity risk factors, there are a number of things companies both public and private must consider. For instance, the occurrence of previous cybersecurity events in the past is helpful in determining risk, as is the probability of the occurrence and its potential magnitude.

It is also helpful to analyze the adequacy of a company’s preventative measures to reduce the risk of cyber attacks, as well as discuss the associated costs and limits of a company’s ability to mitigate these types of risks. Other risk factors include the potential for reputational harm and additional costs incurred from litigation and remediation in the event of a breach.

Conclusion

Private companies are in a unique position to learn from public companies as they navigate an ever-changing digital landscape. The SEC’s guidelines serve as a valuable point of reference to kick-start an effective game plan for cybersecurity. Although it can be difficult to determine when or where the next cyber attack will occur, familiarizing yourself with the risk factors and potential damage can prove a solid line of defense against a major cyber incident in the future.