What are your SEC reporting requirements for cybersecurity incidents?

The odds of an organization experiencing a cyber security breach are about 30% in any two-year period.

A cybersecurity breach can have major, sometimes catastrophic, effects – on an organization’s reputation and even the cost of debt. This makes responding to a breach efficiently and effectively a critical part of cybersecurity.

The most important aspect is the response plan. Part of that process includes contacting the authorities. For most organizations, this usually means law enforcement, but in many jurisdictions, this includes a cybersecurity regulator or the affected individuals.

In the European Union, such notification is relatively straightforward. Article 33 of the EU GDPR (General Data Protection Regulation) states that organizations suffering a cybersecurity breach must notify the regulator – the supervisory authority – within 72 hours of becoming aware of the breach.

Sadly, in the U.S. things are not that easy. A U.S. organization, depending on what it does and where it does it, may have to notify multiple entities.

All 50 states have a breach notification statute, but these vary considerably. Health care organizations, for example, must report under HIPAA (45 CFR §164.400).

But perhaps the most difficult reporting requirement is for companies listed on public exchanges, which must report according to SEC (Securities and Exchange Commission) rules.

These could include Rule 408 of the Securities Act [17 CFR 230.408], Rule 12b-20 of the Exchange Act [17 CFR 240.12b-20], and Rule 14a-9 of the Exchange Act [17 CFR 240.14a-9].

What these rules have in common

All these rules basically require the same thing: Whenever a public company is communicating to the public, the company must report not only information required but also any material facts.

A cybersecurity breach is definitely a material fact, but is anything else? The answer has become much clearer following recent cases and rulings. In these cases, there was no report of a breach, because there wasn’t one. What the organizations failed to report was a vulnerability.

First American Financial Corporation, a real estate title insurance company, was notified in May 2019 by a cybersecurity journalist that one of its applications had a vulnerability.

This issue could have been used to expose more than 800 million title and escrow document images dating back to 2003. These records included images containing sensitive personal data such as Social Security numbers and financial information.

First American’s senior management had been told of this vulnerability by its cybersecurity team months earlier, but did nothing. It failed to report the vulnerability to the markets and didn’t bother to remediate it.

The organization’s excuse was that the senior executives responsible for reporting were not aware of the problem even though many members of senior management, including senior security personnel such as the CIO and CISO, were. The result? First American agreed to pay a fine of $487,616.

Pearson, a publicly traded UK corporation with headquarters in London, had the same problem. It trades as depository receipts on U.S. exchanges. It also agreed to a SEC consent order.

Pearson’s business involves multinational educational publishing and services. Its AIMSweb 1.0 product is used to screen and monitor the reading and math skills of PreK–12 and college students. It is used by more than 13,000 school districts, and collects and processes records of millions of students.

On March 21, 2019, Pearson learned that millions of records had been hacked using an unpatched vulnerability. The organization was aware that a patch had been issued in September 2018, but did nothing about it.

After it had been hacked, Pearson still did very little. It mailed a breach notice to all its customer accounts whose student and school officials’ credential data was exfiltrated, but did not tell them that their credentials had been taken.

It also failed to inform the markets that there had been a breach, maintaining that it was a hypothetical risk. It repeated the contention that the risk was only hypothetical in a statement posted to its website on July 31, 2019. Pearson was fined $1 million.

Both fines could have been avoided

In both cases, the organization could have remediated the issue as soon as it learned of the vulnerability. Both should have reported the issue to the markets. And both chose to avoid or obfuscate the real issue rather than admit there was a problem.

First American and Pearson may have violated various breach reporting statutes. Pearson may have violated the FERPA (Family Educational Rights and Privacy Act) and the GDPR.

Both probably violated various state reporting statutes. Derivative lawsuits may be another consequence in addition to other regulatory action.

Since 2018, the SEC has stressed the importance of cybersecurity policies and procedures. The need for a robust cybersecurity framework is greater than ever and will continue to grow as more and more laws get passed and more and more lawsuits are instituted.

But what is the best cybersecurity framework for establishing policies and procedures?

ISO 27001 is an ideal solution. It’s the international best practice in information security, and could be a bar against a negligence action.

However, the most important thing about ISO 27001 is that it is risk-based. Many organizations do business in multiple states, and often in multiple countries.

To comply with an ever-growing array of different laws, including securities, privacy, health care, and cybersecurity, you need a framework that works for your organization.

Learn about ISO 27001 best practice and find out how to achieve compliance with the Standard with our online training course.

Developed by the team that led the world’s first successful ISO 27001 implementation project, this one-day course will teach you the key elements of the Standard.