AT Think

What the SEC's new data rules mean for accounting

Our current golden age of technology has brought us revolutionary new business tools, but with their welcome arrival have come new threats. Given the exponential growth of data and the tenacity of digital hackers, cybersecurity has become a top priority for government regulators.

And why shouldn't it be? In the last few months alone, significant data breaches were announced by HCA Healthcare, the Missouri Department of Social Services and the Police Service of Northern Ireland — the latter of which may represent a threat to the lives of law enforcement officers. Around the same time, Meta was fined $1.3 billion for its handling of Facebook user data — just a fraction of the $5 billion fine the U.S. Federal Trade Commission levied against the company for similar privacy violations in 2019.

Perhaps not surprisingly, in July the Securities and Exchange Commission announced the adoption of new rules related to cybersecurity risk management, strategy, governance and incident disclosure for public companies. The most significant development to come out of the ruling likely falls on the shoulders of company accounting departments and partnered firms: the requirement that any and all cybersecurity incidents determined to be material be disclosed within four business days.

Why public companies are spooked by the SEC ruling

This new ruling highlights the seriousness of today's cyber threats, and the fact that organizations must start taking how they protect data more seriously. This applies not only to tightening access to sensitive data — including that of clients, employees, partners and vendors — but also to the disciplined recording of when data is accessed, by who and for what purpose.

"Whether a company loses a factory in a fire — or millions of files in a cybersecurity incident — it may be material to investors," said SEC Chairman Gary Gensler. "Currently, many public companies provide cybersecurity disclosure to investors. I think companies and investors alike, however, would benefit if this disclosure were made in a more consistent, comparable and decision-useful way. Through helping to ensure that companies disclose material cybersecurity information, these rules will benefit investors, companies and the markets connecting them."

It should go without saying that public organizations should be expected to adhere to a baseline level of accountability in the care and curation of sensitive data. But does the SEC ruling amount to an overcorrection? The initial reaction from company leaders and relevant commenters has been a resounding yes. But pushback on the legislation seems tied to interpretation of its fine print — specifically, the notion that the SEC is demanding full accountability for a cybersecurity incident within four business days. The devil, in this case, is very much in the details.

What the SEC's new legislation really means

Anyone with a background in corporate cybersecurity can attest that four business days — just 96 hours in some cases — isn't a reasonable window of time for a company to detect and appropriately assess a data breach. But that isn't the mandate coming from the SEC. What the agency has called for is notification from a business after determining the materiality of the incident. In other words, as long as details of the impact of a data breach on a company are shared with the SEC within four business days of gathering that information — even if that incident may have occurred months before — a company should be in compliance with the agency's ruling.

That's a critical distinction, because determining the materiality of data incidents can amount to a bramble patch of difficulty. For instance, if Company A loses an estimated 100,000 records in a data breach, the financial impact could be far and wide: lost revenue, customer trust leading to reduced sales, and countless ripple effects. Moreover, does Company A actually know the number of compromised records? Overreporting that number could cause undue harm to the business, but underreporting it could create a murky landscape for assessing materiality — and may invite more scrutiny from the SEC.

Further complicating the issue is the agency's hazy requirement that materiality assessments not be "unreasonably delayed," which may give companies time to gather incident details but also leaves the market vulnerable to insider trading risks. Opening that door runs counter to the SEC's goal in enacting new legislation in the first place.

Rethinking the corporate cybersecurity problem

The cybersecurity mandate for publicly traded companies is as clear now as it ever was: Organizations that benefit from the collection, storage and use of shared data should be expected to build reliable data-security systems and held accountable for a failure to meet that mandate. What is less clear is the best way to achieve that goal. As critical as data security is to public trust and safety, regulators can't ignore current cybersecurity limitations or expect organizations to pull rabbits from their hats in order to comply.

The sheer amount of data handled by organizations is constantly growing, which would be difficult for any organization to keep pace with, even if cybersecurity and hacking technologies weren't constantly evolving. Businesses can address the issue by routinely evaluating the purpose and value of their collected data, and scaling down whenever possible. Additionally, organizations must take a long, hard look at who has access to which data. A 2021 survey from the Ponemon Institute indicated that 70% of employees have access to data they shouldn't see, and 62% of IT security professionals say their organizations have suffered a data breach due to employee access.

In the case of data breaches specifically, high-quality access logs and data access auditing capabilities bring much of the reporting information needed by companies to get their arms around a data breach. Materiality is much easier to assess and understand when a company has the ability to accurately report the scope of an incident.

I believe that organizations that are the custodians of sensitive data would benefit from additional training and support resources to improve their data protection practices. In addition to — or perhaps in lieu of — penalties, incentives should be explored for those companies that champion and demonstrate cybersecurity best practices. It's simple, really: If the SEC doesn't dangle a carrot to coax organizations into meeting the agency's new data-security policy, it's unlikely it will have enough sticks to enforce it.

For reprint and licensing requests for this article, click here.
Technology Cyber security Data breaches SEC SEC regulations
MORE FROM ACCOUNTING TODAY