Why are companies risking potential penalties from the Securities and Exchange Commission (or SEC), in an effort to hide cyberattacks?
Every year, scores of ransomware attacks paralyze the computer networks of businesses, government agencies, medical offices and many small businesses. But these attacks pose a particular dilemma for publicly traded companies, which operate under SEC regulations. These attacks are costly, they affect operations, and more importantly, expose cybersecurity vulnerabilities. They also can potentially meet the definition used by the SEC of a “material” event — or an incident that a “reasonable person” would consider important to an investment decision. Material events are required to be reported in public filings, and failing to do so could compel an SEC action or a shareholder lawsuit.
Despite this, some companies worry that acknowledging a ransomware attack could earn them negative press, while alarming investors and driving down share prices. As a result, although many companies cite may ransomware in filings as a risk, they often fail to report attacks or describe them in clouded terms.
This failure to disclose incidents to the SEC hampers federal monitoring of ransomware assaults on U.S. businesses. Companies often avoid alerting the FBI, out of fear that the attacks will become public and compel the FBI to investigate unrelated problems.
These gaps in incident reporting become more glaring as the prevalence of cyber attacks against businesses increases. In October of 2019, the FBI issued a warning that attacks “are becoming more targeted, sophisticated, and costly,” and that losses from them “have increased significantly.” Some recent ransomware attacks have resulted in data theft and threats from cybercriminals to sell or publish it. That constitutes a breach of security that could undermine one of the most common corporate rationales for their lack of disclosure.
Some companies lean on the notion that ransomware attacks aren’t material because there’s little evidence that personally identifiable information — the release of which may trigger reporting requirements in various states — is stolen.
Usually, what happens when companies do allude to an attack in SEC filings, is that they will typically resort to euphemisms rather than the specific wording that would best describe what caused their business to suffer millions of dollars in losses.
For investors, being kept in the dark about ransomware attacks and any subsequent payments puts them at a disadvantage when evaluating potential stock purchases. They are basically unable to make informed decisions about stock ownership or any possible proposals that could boost a company’s cybersecurity.
Failing to disclose these material events to investors and the SEC can spur backlash from both. After Yahoo failed to report a data breach affecting hundreds of millions of accounts, it later settled a shareholder lawsuit $80 million and paid a whopping 35 million in penalties to the SEC.
Whether or not a ransomware attack that doesn’t expose large amounts of personal data must be deemed material, and reported to the SEC, is a much more complicated matter. While ransom demands generally aren’t large enough to be considered singularly material, companies often incur other larger costs related to the attack. This usually comes in the form of expensive outside consultants, the cost of replacing damaged equipment, higher cyber insurance premiums in addition to coping with lost revenues from interrupted operations. Then, there are additional issues related to customer dissatisfaction and the loss of corporate data. Going forward, Corporations should weigh “the importance of any compromised information and of the impact of the incident on the company’s operations,” according to the SEC.