Importance of Cybersecurity Reporting
As companies continue to acquire more data, there is a heightened concern for data security. Over the last few years, there have been many high-profile cybersecurity attacks as hackers try to steal data to leverage that data against companies. These attacks lead to bad publicity and scrutiny of management, causing some companies to be less transparent regarding cybersecurity failures. As cybersecurity attacks become more prevalent, how should companies report an attack in their environmental, social and governance (ESG) report?
Companies have governance responsibilities to protect the collected data. However, when a cybersecurity attack occurs, there are no set regulations that companies must follow. Most companies usually opt to file a press release, which is then followed by stating possible concerns in future 10-Ks and 10-Qs. That said, companies that comply with widely-accepted ESG standards have specific reporting requirements when disclosing a cybersecurity attack. The following sections include the proposed ESG standards and their guidance on cybersecurity attacks.
Global Reporting Initiative (GRI)
The Global Reporting Initiative (GRI) is one of the leading ESG reporting standards. The GRI does not have a primary focus but instead establishes broad standards that apply to almost every industry. GRI Standard 418-1 regarding substantiated complaints about customer privacy and losses of customer data requires companies to report the following information:
- Total number of substantiated complaints received concerning breaches of customer privacy, categorized by:
- complaints received from outside parties and substantiated by the organization;
- complaints from regulatory bodies.
2. Total number of identified leaks, thefts, or losses of customer data.
3. If the organization has not identified any substantiated complaints, a brief statement of this fact is sufficient.
In part (a) above, the standard defines a substantiated complaint as a “written statement by a regulatory or other official body that identifies breaches of customer privacy, or a complaint lodged with the organization that has been recognized as legitimate by the organization.” The GRI requires that companies disclose the number of complaints separated by two groups: outside parties and regulatory bodies. Interestingly, GRI defines a breach of customer privacy to be any non-compliance with either existing regulations or voluntary standards regarding the protection of customers’ privacy.
Under part (b), the company should aggregate all the identified leaks into one report so this information can be easily attained. This helps identify which customers need to be notified that their data may be compromised. The company can use this report to identify possible patterns to security breaches and keep accurate records for such breaches.
Lastly, part (c) requires companies that have not had any security complaints to simply issue a statement acknowledging that fact.
The Global Reporting Initiative standards require companies to report the number of complaints and attacks (or other leaks) so they comply with the Organization for Economic Co-operation and Development (OECD). The OECD expects organizations to “[r]espect consumer privacy and take reasonable measures to ensure the security of personal data that they collect, store, process or disseminate'' (OECD). The GRI encourages whistleblowers and regulatory agencies to send complaints to companies, who must then disclose these complaints as an incentive to prevent them from happening to begin with.
Sustainability Accounting Standards Board (SASB)
The Sustainability Accounting Standards Board (SASB) is one of the world’s leading ESG standards which creates customized standards for 77 major industries. These requirements provide consistency across companies in any given industry for investors and other stakeholders. The following discussion outlines how the SASB requires companies in the software industry to report cybersecurity attacks, which can be found here. SASB standard TC-SI-230a.1. is summarized below:
The SASB defines a data breach as “the unauthorized movement or disclosure of sensitive information to a party, usually outside the organization, that is not authorized to have or see the information.” Additionally, if a company has reasonable belief, for example, that encrypted data could be readily decrypted, it must report such data on its sustainability report. The scope of the disclosure under subsection (a)(ii) is limited to breaches in which the individual was notified of the breach, either as required by law or voluntarily by the company.
SASB standard TC-SI-230a.2. is also summarized below:
- The entity shall describe its approach to identifying vulnerabilities in its information systems that pose a data security risk.
- The entity shall describe its approach to addressing data security risks and vulnerabilities it has identified, including, but not limited to, operational procedures, management processes, structure of products, selection of business partners, employee training, and use of technology.
- The entity shall describe its use of third-party cybersecurity risk management standards.
- The entity may discuss trends it has observed in type, frequency, and origination of attacks to its data security and information systems.
- The U.S. SEC’s Commission Statement and Guidance on Public Company Cybersecurity Disclosures may provide further guidance on disclosures on the entity’s approach to addressing data security risks and vulnerabilities.
- All disclosure shall be sufficient such that it is specific to the risks the entity faces but disclosure itself would not compromise the entity’s ability to maintain data privacy and security.
The SASB reporting guidance is not intended to replace or even simply supplement the SEC’s mandatory disclosure requirements. Rather, SASB aims to achieve uniformity in company reporting guidance for cybersecurity attacks.
Most companies choose to disclose cybersecurity attacks only when there has been a material breach or attack that results in a large amount of data being stolen. Often, companies disclose this information in their 8-K, 10-Q, or 10-K as this information is vital for shareholders to make informed investing decisions and is mandated by the Securities and Exchange Commission (SEC).
Currently, the SEC has proposed new disclosure rules (the Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure) that would require companies to do the following in the event of a cybersecurity breach:
- Disclose a material cybersecurity attack on an 8-K within four business days of the attack being known.
- Disclose information about the attack such as when the incident occurred, what the scope entails, how it affects operations, and what the company is doing to fix the issue.
Investors and regulators are asking for more transparency when it comes to how companies mitigate and respond to cybersecurity attacks. While material cybersecurity attacks do not occur on a regular basis, it is important for companies to provide regular disclosures to stakeholders. In fact, companies that comply with SASB or GRI reporting standards for cybersecurity breaches will be better prepared for heightened SEC scrutiny to come.