Consumers have become wary of data breaches and the decreased safety of their personal information. However, the cost of a data breach is no longer only a matter of money and your company’s good name. There is now a third critical reason to pay attention: the U.S. Securities and Exchange Commission — more commonly referred to as the SEC.

The SEC has begun to take aim at the business practices that can lead to breaches. So, what does the SEC’s involvement mean for cybersecurity professionals?

Why Is the SEC Involved in Data Breach Response?

You might think about the SEC in terms of stocks and the stock market. But it has a three-part mission: protect investors, facilitate capital formation and maintain fair, orderly and efficient markets.

To protect investors, the SEC works to make sure consumers are not investing their hard-earned money in a company’s stock based on false or misleading information. That might mean looking into falsified earning reports, but it also goes much deeper.

The SEC aims for transparency. So, they require each business to disclose all types of risk that can affect the company’s earnings and, in the end, the stock price. This process increases the odds that an investor has access to all the information about a company’s financial health.

The possible risks encompass much more than fraud; they can include everything from supply chain issues to natural disasters. The purpose is to share anything and everything that could possibly affect the financial future of the company.

This leads us right to the answer about why the SEC cares about cybersecurity. When a company faces a cybersecurity attack or event, it affects its revenue. According to the IBM Cost of a Data Breach Report 2021, the average cost of a ransomware attack (the costliest type of breach) is $4.62 million. And the average cost of the least costly type of data breach (breaches in hybrid cloud environments) is still very expensive, at $3.61 million.

What This Means for Revenue

This means cybersecurity practices play a large part in a company’s revenue. Even minor breaches result in severe losses. Most consumers never consider cybersecurity when deciding where to invest their money.

Very few cybersecurity issues develop because of a single poor decision or mistake. Instead, there are multiple choices and factors that lead to the vulnerabilities that allow a breach to happen.

The issue concerns the SEC because when an organization faces a major incident, the price of that company’s stock almost always goes down. But consumers don’t have cybersecurity-related information when they purchase company stock. So, they are making those purchasing decisions without key information. That can make their investment much riskier than they realize.

Why now? It’s simple. The costs of breaches are going up, which means the risk to investors is increasing.

The IBM Cost of a Data Breach Report 2021 found the cost of a breach increased 10% between 2020 and 2021. As you might expect, the increased number of people working from home was a factor. Breaches involving remote work cost $1.07 million more than other breaches.

Reputation is a bit harder to quantify. But the fact that 38% of the cost of a breach comes from lost business is notable.

What Is the SEC Doing About Cybersecurity Risks and Incidents?

The SEC is leveraging fines to companies with poor cybersecurity practices more and more.

In July 2021, the SEC settled with Pearson Plc, a London-based public educational publishing company. Pearson agreed to pay $1 million in response to charges of misleading investors regarding a 2018 breach, which involved the theft of millions of student records, including dates of birth and email addresses. The SEC’s stance was that Pearson did not have good enough disclosure controls and procedures.

And Pearson isn’t the only case like this. In August 2021, the SEC announced actions against eight financial firms for failures in their cybersecurity procedures and policies. Each of the companies had email account takeovers that caused exposure of client personal information, and the settlements ranged between $200,000 and $300,000 for each company. Experts agree that these are likely just the beginning. They are a signal that the SEC is now focusing on the risks cybersecurity issues pose to investors.

How to Avoid SEC Fines After a Data Breach

Harvard Business Review’s article on this subject is right on the money. First, create a committee for disclosure to conduct quarterly surveys to uncover everything that needs to be disclosed.

Secondly, disclose early. In a past case, the SEC ruled that six months was too long. Companies should take action as soon as possible. Along those lines, HBR gave further guidance that companies should disclose they understand the full scope of the breach.

The final two suggestions — conduct forensic assessments and build visibility into your assets — provide practical advice. They can guide you to create a process that makes it easy to quickly and accurately disclose cybersecurity issues.

Let the SEC’s Data Breach Response Increase Your Cybersecurity Funding

Chief information security officers often ask me how they can show their company’s leaders how important cybersecurity is. And this SEC news is an outstanding proof point. It’s a great illustration of how cybersecurity incidents cost reputation and money. Plus, no one wants to get fined by the SEC. It’s just not a good look.

Before your next budgeting meeting, set up time to meet with your company leaders. Bring copies of recent SEC sanctions and a list of potential vulnerabilities in your own company. Start with sharing the SEC’s recent actions. Next, make the case for areas that could cause your company the same fate. Then tie it right back to your budget. Show how investments in cybersecurity can help prevent your organization from becoming the SEC’s next target.

You’ve known for years, if not decades, the importance of cybersecurity to your company. And while at first glance it appears the SEC news is bad for the industry, it’s actually the opposite. It’s even more proof that your company’s success and future depend on taking effective and proactive cybersecurity measures now.

More from Data Protection

3 Strategies to overcome data security challenges in 2024

3 min read - There are over 17 billion internet-connected devices in the world — and experts expect that number will surge to almost 30 billion by 2030.This rapidly growing digital ecosystem makes it increasingly challenging to protect people’s privacy. Attackers only need to be right once to seize databases of personally identifiable information (PII), including payment card information, addresses, phone numbers and Social Security numbers.In addition to the ever-present cybersecurity threats, data security teams must consider the growing list of data compliance laws…

How data residency impacts security and compliance

3 min read - Every piece of your organization’s data is stored in a physical location. Even data stored in a cloud environment lives in a physical location on the virtual server. However, the data may not be in the location you expect, especially if your company uses multiple cloud providers. The data you are trying to protect may be stored literally across the world from where you sit right now or even in multiple locations at the same time. And if you don’t…

From federation to fabric: IAM’s evolution

15 min read - In the modern day, we’ve come to expect that our various applications can share our identity information with one another. Most of our core systems federate seamlessly and bi-directionally. This means that you can quite easily register and log in to a given service with the user account from another service or even invert that process (technically possible, not always advisable). But what is the next step in our evolution towards greater interoperability between our applications, services and systems?Identity and…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today