The SEC's New Take on Cybersecurity Risk Management

COMMENTARY

The advent of generative AI is surfacing new risks, significantly raising the stakes for businesses around the globe and for marketplace stability. In reaction to the logarithmic growth of cybercrime, the guidance and regulatory landscape is changing rapidly. While historically, the United States preferred frameworks over regulation, in 2023 there was a significant regulatory development: the introduction of new cybersecurity rules by the Securities and Exchange Commission (SEC). These rules for publicly traded companies focus on cybersecurity risk management, governance, and incident disclosure. Designed to enhance investor protection and market transparency, the SEC seeks to ensure timely and effective communication of events that affect the financial health or stability of publicly traded companies.

Under the new disclosure rules, registrants must report within four days any cybersecurity incident they have determined to have a "material impact," meaning it could significantly affect the company's operations or finances. Companies must therefore swiftly assess the nature and scope of the incident, including the type and volume of compromised data and the potential business, legal, or regulatory impacts.  

As companies grapple with these new regulations, there are already important insights to be gleaned from the experiences of several major entities that have reported breaches and made disclosures. Here are three:

Clorox

In August 2023, Clorox experienced a severe cyberattack affecting the company's automated order processing. This incident caused widespread disruption, resulting in delays in processing orders and significant product shortages, which adversely affected sales and earnings. In fiscal year 2024, Clorox expects to incur approximately $57 million to $65 million ($43 million to $49 million after tax) of costs related to the cyberattack. These costs relate primarily to third-party consulting services, including IT recovery and forensic experts and other professional services incurred to investigate and remediate the attack, as well as incremental operating costs from the resulting disruption to the company's business operations. Its chief information security officer (CISO) is also no longer working for the company. Recent reports suggest that security audits had flagged issues for years. Clorox also noted that net sales are expected to be down as "the effects of the cyberattack are expected to negatively impact fiscal year 2024 results."

Prudential Financial

In February 2024, Prudential Financial reported a breach, though it came out largely intact. Prudential also adhered to SEC rules in its disclosures, but the company sought to get ahead by voluntarily reporting the incident before a material impact was determined. In its filings with the SEC, Prudential disclosed detecting unauthorized access to its infrastructure on Feb. 5. This breach involved "administrative and user data from certain IT systems" and impacted what the company said were a small percentage of employee and contractor accounts. The intrusion, which has since been attributed to the ALPHV ransomware gang, exposed the names, addresses, and personal identifiable information (PII) of 36,545 individuals. Prudential's decision to file proactively with the SEC may signal a new trend toward disclosure prior to ascertaining materiality, with another filing after materiality is determined.

UnitedHealth

Most recently, UnitedHealth suffered a massive attack against its subsidiary Change Healthcare that breached millions of patients' records and brought prescription fulfillment and claims processing to a standstill. UnitedHealth disclosed the attack on Feb. 21, and initially attributed it to a nation state, without determining materiality or specifying how many people were affected. UnitedHealth reported it was focused on restoring operations. Theincident severely impacted doctors and healthcare facilities that serve millions of Americans, including an estimated 30 million disadvantaged and uninsured people. The company did not disclose if the attackers demanded a ransom. But a post in an online hacker forum claimed UnitedHealth paid $22 million to regain access to its systems. UnitedHealth has since filed an amendment to its initial 8-K. Today, the company faces at least 24 lawsuits and extensive financial repercussions. UnitedHealth announced recently that it anticipates the cyberattack on Change Healthcare could cost the company as much as $1.6 billion, which some analysts argue is an understatement. Since revealing the attack, UnitedHealth's stock price has dropped nearly 15%.

Lessons Learned

Each of the above cases offer guidance for further study. However, three early lessons are now on display for enterprise risk management:

Editor's note: This column was updated on May 29, 2024, to correct figures for Clorox.