Getting Serious About Cyber Risk? The SEC Fails on Several Levels

Last fall, the new owner of Yahoo’s web business, Verizon, shared that forensic experts had discovered that all 3 billion of Yahoo’s user accounts had been breached. As massive as that was, the news went virtually unnoticed. What should have taken our collective breath away didn’t.  Why?  For two reasons: (1) we have grown numb about hearing of massive breaches, and (2) no significant penalties for the lack of accountability for the Yahoo board of directors and for management negligence (I’m being charitable) was levied.

In September 2016, Yahoo announced that 500 million accounts had been stolen two years earlier. Three months later, we heard that an additional billion user accounts had been stolen. Amazingly, it became clear that the company’s management and board were notified of the breaches when they were discovered, yet they avoided taking action in favor of other activities until they were forced to publicly disclose the breaches during due diligence associated with their acquisition by Verizon two years later.

The ties between conduct risk and cyber risk are increasingly evident. The twin poster children of massive cyber breaches are Yahoo and Equifax. Like Yahoo’s leaders, the Equifax management knew they had massive cybersecurity vulnerability and didn’t take reasonable action. If the SEC’s mission is “to protect investors” and if it’s the agency with responsibility for the conduct of public companies’ management, what steps are they taking against these kinds of bad behavior?  Where lies their culpability in protecting the American consumer?

Four years ago in early 2014, SEC commissioner Luis Aguilar rattled his saber about holding boards accountable for cyber breaches.

So what has the SEC done to follow through since then? Nothing. They settled in April 2018 with Altaba (formerly Yahoo) for $35 million, which works out to about a penny for each of the 3 billion user accounts that were lost and long left unreported by Yahoo’s board and management. That hardly counts as a wrist slap. It certainly does not put executive management or boards of directors on notice about their responsibility or liability for poor risk oversight.

By not focusing significant efforts on stemming the threat of cyberattacks, the SEC penalizes companies that are actually doing the right things. The SEC is failing to motivate companies to spend adequately to protect their data systems and their customers’ data by not insisting that all companies follow the NIST guidelines rigorously.  They are giving the message that it’s not an important issue in today’s business, when in fact we all know it is one of the most important, if not most important issue facing companies today.

Why isn’t the SEC being more aggressive? Perhaps they are fainthearted because of their own cyber liability. In September, the agency announced that “software vulnerability” in EDGAR, the public-company filing system, had enabled illegal trading advantages for some period of time. This is particularly embarrassing given that an academic study back in 2014 revealed that “stock prices were moving about 30 seconds prior to public filings being made available on the SEC’s [EDGAR] website.” That disclosure alone should have prompted significant remedial action by the SEC.

Whatever the underlying reasons for the SEC’s apathy, motivating responsible conduct by boards and management is a long overdue step toward restoring public trust. While board governance of cyber risk gets broad lip service, massive breaches like Equifax and Yahoo illustrate that the lack of economic and regulatory pressure continues to allow organizations to avoid choosing to devote adequate resources to Warren Buffett’s  “number one problem with mankind.”