Now the S.E.C. has issued updated cybersecurity guidance. Again, it warned public companies to make “timely” disclosure, recognizing the “grave threat” that cybercrime poses to investors and the capital markets.
Yet, the S.E.C.’s new guidance doesn’t confront the practical quandary facing public companies victimized by a cyberattack: Going public with news of a cyberattack isn’t always an easy call. Doing so can risk tipping off the bad guys and imperil investigations. Law enforcement often encourages, or even demands, that the incident not be disclosed. At the same time, companies know they have a duty to their investors to provide prompt information about any real risks to their businesses.
This tension between the need for discreet cooperation with law enforcement and the obligation to inform investors and the markets creates a dilemma for public companies. Unfortunately, the commission’s updated guidance provides little direction to corporate leaders confronting these conflicting demands. While the guidance acknowledges that it will often take time to “discern the implications” of a breach and that it “may be necessary to cooperate” with law enforcement, it concludes that an active investigation would not “on its own” be a reason to avoid disclosure of a material cybersecurity incident.
Perhaps this dilemma explains why so few public companies report breaches. In 2017, only 24 companies reported breaches to the S.E.C., according to Audit Analytics, a firm that tracks securities law filings. Since 2011, when the S.E.C. issued its initial cyber guidance, only 106 companies have reported incidents to the S.E.C.
