Not long ago, companies were hesitant to disclose cyber incidents, fearing a backlash and damage to their reputations, and a loss of customer trust. In 2017, Equifax waited six weeks to disclose that sensitive customer information had leaked, helping make it one of the most iconic breaches in history.
Recent trends suggest that the tide is turning, with more and more companies putting greater value on transparency in building trust and maintaining investor confidence.
This article delves into the evolving landscape of cybersecurity disclosures, exploring reasons enterprises prefer openness and clarity, and the influence of the SEC's cybersecurity disclosure rules. We’ll also examine how China’s Cybersecurity Law serves as a model for public transparency, and consider the benefits and challenges associated with enhanced transparency.
New era of cybersecurity disclosures
Originally, legislation around disclosing cybersecurity breaches was focused on consumer protection. In 2002, California passed S.B. 1386, which required businesses to inform consumers in the event of a breach. However, the rules (and penalties) surrounding compliance were subject to interpretation and later, more stringent laws were required. In 2018, Australia amended its original Privacy Act of 1988 with a provision commonly referred to as Notifiable Data Breaches, that includes clear guidelines as to what constitutes an “eligible data breach.”
More recently, shareholders (and stakeholders) of publicly traded companies in the United States have demanded prompt and comprehensive disclosures of material cybersecurity incidents because the information is essential to investment decisions. In other words, the cost to investors from cybersecurity incidents has risen high enough to matter.
Just a few years ago, the industry's stance on cybersecurity disclosures was vastly different. Many companies were reluctant to acknowledge breaches, fearing reputational damage and potential legal consequences. However, as cyberattacks have grown in frequency and sophistication, organizations have come to realize that any excessive delays in disclosure only exacerbates the problem.
AT&T, which recently experienced a significant breach, later released a detailed public report on the incident. This level of transparency demonstrates a commitment to accountability and a willingness to address vulnerabilities head-on.
The SEC's roles as a transparency catalyst
The Securities and Exchange Commission (SEC) policies for cybersecurity incident disclosure guidance that went into effect late last year was a significant move towards improving transparency. The rule requires public companies to provide more detailed and timely disclosures about material cybersecurity incidents and risks in Form 8-K. The guidance also requires revealing the financial impact of cybersecurity incidents, including the costs of containment, remediation, and recovery, as well as any potential losses or damage.
Furthermore, the SEC requires an annual declaration requirement in Form 10-K, mandating that companies provide an update on their cybersecurity risk management processes and the role of the board of directors in overseeing cybersecurity risks. This annual declaration improves transparency by ensuring that investors and the public are informed about the company's cybersecurity preparedness and cyber risk governance.
SEC Chair Gary Gensler said that these cybersecurity incidents “may be material” to investors in the same way that a factory lost to fire would be material to investors. He asserted there would be increased investor benefit if disclosures were made “in a more consistent, comparable, and decision- useful way.”
If this level of transparency is good, wouldn’t taking things one step further with regular, consistent government-run pen-testing be even more useful to investors looking at companies? We may not be as far away from that as we may think.
Far-reaching powers yield far-reaching visibility: lessons from China
China's Cybersecurity Law, implemented in 2017, significantly influences cybersecurity transparency practices for national enterprises operating in the country. This comprehensive legislation mandates companies operating within China to promptly report data breaches and other cybersecurity incidents to the government, which is similar to regulations in other nations. On the flipside, the Chinese government has extensive authority to scrutinize company data and networks, which is not common in other nations, emphasizing the nation's commitment to safeguarding its cyberspace.
The law gives the Ministry of Public Security (MPS) the power to inspect confidential company records, communications, and even intellectual property. Many multinational organizations are aware of these powers, and this has affected their decision to invest in China. However, many organizations outside China are not aware that these same powers allow MPS to test important infrastructure companies like banks, telecommunications, utilities, and manufacturing. Further, these penetration test results become public record. This puts pressure on Chinese organizations that are not found anywhere else in the world.
The tests are semi-scheduled, but the organizations being tested get no indication of the test plan or the actual test date. After testing is completed, the MPS publishes the results publicly where everyone can see the results. After the first couple of years, provincial governments took license to do similar kinds of pen-testing in their own regions, and several national business associations have also started pen-testing its members.
As a result, organizations in China now take security much more seriously than they used to. They tend to be less risk-tolerant when it comes to security deployments. They deeply inspect all traffic since it is mandatory – they try hard to decrypt everything. On the other hand, privacy has not evolved as far in China as it has in other parts of the world.
China may be an extreme model of the government shaping cybersecurity transparency practices in the private sector. The spectrum contains other examples as well, such as the EU AI Act. It complements existing data protection regulations, such GDPR, and therefore US-based SaaS companies must ensure that their AI services not only comply with the AI Act but also adhere to GDPR requirements.
The virtues of coming clean faster
Consumers and investors are no longer under the illusion that companies are not breached. If so, then the way a company handles the breach may be more important than the actual breach itself.
Beyond regulatory requirements, many companies are voluntarily choosing to be more forthcoming about cyber incidents given that they are a growing fact of life in a digital economy. While regulatory compliance creates a new baseline, the proactive disclosure and details of cyber breaches and the measures taken to mitigate their impact can drive accountability and strengthen relationships with customers and investors. Investors can see how the company manages risk and resilience, while customers feel safe about how their personal information is handled. This open dialogue builds trust and loyalty, setting the foundation for long-term relationships.
Furthermore, cybersecurity disclosures contribute to the broader cybersecurity ecosystem. By sharing information about cyber incidents and the lessons learned, companies contribute to the collective knowledge base, aiding the industry in developing more robust defense mechanisms against emerging threats. This is how many pen-testing activities have developed in China, extending to industry organizations specifically intent on improving the industry’s cyber fitness.
However, finding the balance between transparency and confidentiality is essential to maintain customer trust, comply with regulations, and safeguard competitive advantage.
In conclusion, the trend towards cybersecurity disclosures in the private sector is a positive development that strengthens trust, promotes accountability, and fosters a more secure digital environment. Companies that embrace transparency are not only mitigating risks but also building stronger relationships with their stakeholders, setting the stage for long-term success in the ever-evolving digital landscape.
What to read next
What directors can learn from cyber incident disclosures
When a breach isn’t all bad: Making the most of adverse cyber circumstances