A Done Deal: Corporate Cybersecurity Now The SEC’s Business

The SEC has made clear that it requires disclosure not only about breaches, but also about the risk of a breach. That means even though the U.S. has nothing like Europe’s 72-hour reporting rule, part of the GDPR, it does have a de facto reporting rule. This Forbes article summarizes recent SEC statements and their implications for public companies, which now have to report potential cyber-breach risk as well as material incidents in their quarterly (10-Q), yearly (10-K) and when necessary in their 8-K Current Report filings. Statistics from the Ponemon Institute graphically illustrate the potential materiality of the issue. Its 2017 survey pegged the average incident cost at $3.6 million. Another study finds the average cyber insurance claim for large companies is about $3.2 million, a figure that is said to include hard costs only, and not such things as reputational damage.