For SEC Cyber Disclosures, ‘Transparency Wherever Possible’ Should Be The Goal: Advisor

As publicly traded companies assess how to comply with the SEC’s cyberattack disclosure rules, following a strategy to ‘get ahead of the story’ is wise, a PwC partner tells CRN.

When it comes to complying with the U.S. Securities and Exchange Commission and its cyber incident disclosure rule, filing early and often is the recommended strategy to avoid bigger problems, a PricewaterhouseCoopers partner told CRN.

The SEC rule, which took effect on Dec. 15, requires publicly traded companies to disclose major cyberattacks within four business days of determining an incident is “material” for its shareholders.

In some cases, however, companies have disclosed incidents to the SEC even though a determination of materiality hadn’t been reached yet.

According to PwC Partner Joe Nocera, this is exactly the sort of thing he’s been advising clients to do as part of complying with the SEC regulations.

“That's definitely what we're pushing for — transparency wherever possible,” said Nocera, a leader in the cyber and tech risk practice at PwC, in an interview.

The best approach is to “get ahead of the story. Own it,” he said. “Share what you know, as soon as you feel like you [know] enough.”

To File, Or Not To File

In the seven weeks since the SEC disclosure requirements went live, only a handful of incidents have been disclosed via the required 8-K filing. Those have included data breaches at footwear maker VF Corp and insurer First American, as well as at tech giants Microsoft and Hewlett Packard Enterprise.

In the latter two cases, the companies indicated they were filing the disclosures voluntarily, since they weren’t aware of a material impact from the attacks.

Not all companies will be inclined to follow this approach, however. Many have reservations about disclosing security incidents when not required to do so, Nocera noted.

That's due to concerns about the possible effects on customer perception and their stock price — or the possibility that a disclosure might make the company into an even bigger target for attackers, he said.

In reality though, the impact on customer and investor perception will likely be even greater if it later seems like the company was hiding something, Nocera said.

“I think the truth always gets out. And so, better to be transparent,” he said.

His guidance to clients: File a disclosure with the SEC as soon as possible, and then update it once materiality is determined.

As for the concern about making the company into a bigger target for hackers, there is validity to that — but steps can be taken to the mitigate the risk, he said. In those cases, companies shouldn’t disclose an incident until they’ve deployed countermeasures that are most closely related to the underlying issue, Nocera said.

In other words, don’t disclose a non-material incident until “you feel like your defenses are in place, in such a way you’re ready for any additional attention that would come come your way.”

Ultimately, as just about every company has become the victim of a data breach over the past five years, the bigger problem often ends up being the response rather than the incident itself, Nocera said.

“To me, what makes the difference between a well-run [response] and a disaster is how they handle the incident. How transparent are they? How quickly do they get things back up and running?” he said.

And importantly, “how accurate is the first story that they provide?”