Top executives will soon be unable to profess ignorance about the cyber realm. A massive rise in hacking and ransomware has prompted U.S. regulators to draft specific disclosure rules for listed companies, that could be finalized as soon as this year. It’s critical for investors and companies alike, and a likely new headache for corporate executives.
With data usage ballooning, the upsurge in global cyberattacks has been staggering. Last year, attempts to breach networks of companies and organisations were up 38% globally compared to the previous year, data from IT security group Check Point showed. That translated into a record 1,168 weekly attacks per organisation in the final quarter of 2022. The total annual cost resulting from data theft, fraud or lost productivity is expected to rise 15% per year to $10.5 trillion by 2025, says researcher Cybersecurity Ventures. Most attacks tend to come from ordinary criminals, but the war in Ukraine has raised awareness about protecting critical infrastructure, security experts at last month’s Munich Security Conference told Reuters Breakingviews.
The scale of the problem has convinced the Securities and Exchange Commission that companies need to tell investors how they understand, handle and prevent cyber risks. Under draft rules first published in March 2022, U.S. listed companies could soon be forced to reveal within four business days if a cyberattack has materially affected their operations. Firms would have to describe any procedure to identity and prevent such threats. Companies would also need to disclose the level of cyber expertise at board level.
The new rules will create a global regulatory imbalance. Companies in the European Union don’t have specific cyber risk disclosure requirements, and must reveal attacks to the market only on an ad hoc basis. As such, the U.S. move will put pressure on European regulators to adhere to what will likely become a golden standard for such type of disclosure, a top European securities regulator told Reuters Breakingviews.
For many companies, the requirements could come as a shock. Some view the proposed reporting framework as too stringent. Others fear overtly granular details on their level of preparedness may actually encourage and enable malicious attacks.
There are other concerns. One-third of IT professionals surveyed by the Neustar International Security Council in January said the firms they worked for were cutting or not growing their cybersecurity budgets. Companies may also lack expertise: the cybersecurity industry is 3.4 million workers short of what’s needed.
Corporate bosses already chastened by shareholders for insufficient progress on climate change face now a new specific worry. Armed with new disclosure, investors may be critical of spending shortfalls, or rap companies that prioritise buying insurance over the actual work of properly shielding their data and business. As online threats widen, investors may start applying valuation discounts to the cyber laggards
The U.S. administration of President Joe Biden on March 2 published a National Cybersecurity Strategy aimed at helping the United States fight online threats.
The Securities and Exchange Commission (SEC) has carried out a public consultation relating to proposed new disclosure requirements on the management of cybersecurity risks, and is looking to finalise the rules by year end, SEC official Luna Bloom told a conference at the Catholic University in Milan on Feb. 27.
Under the SEC proposal, first published in March 2022, companies will have to disclose information about any incident that materially affects their operations within four business days of determining the impact of the event. Companies would also have to provide regular updates relating to previously disclosed incidents.
In addition, listed firms would have to describe any policy and procedures for the identification of cybersecurity threats.
Finally, the new rules would require companies to explain their boards’ role in the oversight of cyber risks and any expertise in assessing and managing such risks.
In Europe, companies are currently only required to reveal cyber-attacks on an ad hoc basis as with any other price sensitive occurrences.
Article published on Breakingviews - Reuters
Foto di Mika Baumeister su Unsplash