In 2011, the Securities and Exchange Commission (SEC) warned public companies that cybersecurity incidents and security risks in their IT systems may have to be reported through public disclosures. The warning, in the form of a guidance, was a reminder that breaches can result in significant costs, remediation, litigation, regulatory fines and lost sales, and that investors must be informed of important or “material” news.
After devastating breaches at Yahoo ($350 million, 2013), Target (over $160 million, 2014), Anthem (over $200 million, 2015), and Equifax (over $240 million, 2017), the SEC’s advice has taken on new urgency.
The SEC recently issued a clarification earlier this year, and to put it bluntly, the agency means business. The SEC’s February 2018 statement got to the point: “Given the frequency, magnitude and cost of cybersecurity incidents, the Commission believes that it is critical that public companies take all required actions to inform investors about material cybersecurity risks and incidents in a timely fashion.”
In April, the SEC announced a $35 million fine it levied against Yahoo for waiting almost two years to disclose its massive 2014
