Should Not-for-Profit and Private Companies Care about Proposed SEC Cyber Disclosure Requirements?

Blog #6 – Epilogue to SEC Cyber Series

(Originally appeared December 5, 2022, in my Enabling Board Cyber Risk Oversight? blog at Should Not-for-Profit and Private Companies Care about Proposed SEC Cyber Disclosure Requirements?)

Should Not-for-Profit and Private Companies Care about Proposed SEC Cyber Disclosure Requirements?

Introduction

In my Blog Series, SEC “Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure” Proposed Rule Changes, I covered the four specific proposed changes in the SEC rulemaking:

1. Reporting of Cybersecurity Incidents on Form 8-K
2. Disclosure about Cybersecurity Incidents in Periodic Reports
3. Disclosure of a Registrant’s Risk Management, Strategy and Governance Regarding Cybersecurity Risks
4. Disclosure Regarding the Board of Directors’ Cybersecurity Expertise

I received feedback and questions from executives and board members at not-for-profit and private companies that essentially conveyed, “not a problem; we don’t deal with the SEC” or “why bother with these requirements when we have a myriad of other regulations with which to comply.”

In this post, I address the question, "Should Private Companies Care about Proposed SEC Cyber Disclosure Requirements?”

The bottom-line-up-front (BLUF) is YES!

In total, as of September 2022, the NYSE had a combined total of 2,578 listed domestic and international companies, while the Nasdaq had 3,788 for a grand total of 6,366 publicly listed companies.[1]?So, the population of companies subject to SEC disclosure requirements is small, especially when considering the approximately 32.6 million businesses in the U.S.[2]?The point is that private companies dominate the U.S. economy and are not directly subject to SEC registration, reporting, and disclosure requirements. However, they are increasingly targeted by adversarial threat sources AND subject to the same accidental, structural, and environmental threat sources that public companies face.?Getting one’s cyber risk management ducks in a row is not just for DSEC-regulated companies.

Within these millions of non-public organizations are an estimated 1.5 million non-profit organizations[3], which include many of our largest health systems and 16,000 PE-backed portfolio companies.[4]?While an argument can be made for all the millions of non-public U.S. businesses to care about the proposed SEC cyber disclosure requirements, I will focus on non-profit healthcare organizations and PE-backed firms.

Here are my top 7 reasons why private companies should care about proposed SEC cyber disclosure requirements:

1. The SEC has the authority to investigate all companies that seek to raise capital from U.S. investors. Among other avenues, investors in private companies often exit by way of an initial public offering and going public.?SEC's oversight includes all public and private companies making any false or misleading statements as part of an offering process.[5] Any private company would be required to provide responses to the proposed SEC cybersecurity disclosures in their registration statement. Therefore, private companies should eagerly work on their cybersecurity and cyber risk management program to be able to tell a proactive and progressive story to their prospective investors, responsive to the SEC’s proposed cyber disclosures. As the authors point out in “The SEC Takes Aim at the Public-Private Disclosure Gap,” “… the line between “investors” and the “public” has blurred in recent decades, as a majority of the American public is now exposed to both public and private market risk through pension funds, education savings plans, and company retirement programs.[6]
2. A strategic acquirer of a private company may already be public and currently subject to SEC disclosure requirements.?In this case, any potential acquirer would already be filing required cyber-related reports and disclosures and would place value on any private company efforts to not only easily make the disclosures but, more importantly, have a mature enterprise cyber risk management program in place.?According to a recent Forescout report, 48% of business leaders?encountered?a critical cyber issue or incident during an M&A transaction that jeopardized the deal.[7]?Private companies should be attentive to the SEC’s proposed cyber disclosures and what’s driving them—better enterprise cyber risk management.
3. Forget about acquisitions and IPOs; take care of your current stakeholders.?As I’ve written throughout my series on, SEC “Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure” Proposed Rule Changes, the proposed SEC disclosure requirements are important to investors. At the same time, they are a means to an end—driving improvements in cyber risk management.?Private companies and non-profit organizations have customers, perhaps patients, investors, bankers, insurers, employees, and regulators (think: HIPAA, GLBA, FERPA, GDPR, etc.), all of whom expect your organization to have and benefit from a robust cyber risk management program.
4. The cost of capital is lower for all organizations that establish, implement, and mature an enterprise cyber risk management program.?Credit-rating agencies—including Standard and Poor’s, Moody’s, and Fitch Group—have all implemented consideration of the financial impact of a cyber attack on an organization’s credit rating.?Moody’s downgraded the credit rating for Equifax from “stable” to “negative” based on the immense data breach the company experienced in 2017.[8]?SolarWinds had its rating lowered by S&P from a B+ to a B rating in April of last year after?a cyberattack in 2020.[9]?The proposed SEC cyber disclosure requirements provide a north star for improved cybersecurity and, therefore, access to capital at a lower cost, whether you are private or public.
5. Most private companies are part of public company supply chains.?Heads up, even though you may serve on the board of a private company, your customers and vendors may be public companies.?When the proposed SEC cyber disclosure requirements are finalized, expect to have your public company stakeholders raise the ante in terms of your incident response and reporting to them.?We saw similar requirements tighten when the Omnibus Final Rule codifying the HITECH Act was published in the Federal Register in 2013.[10]?Along with public companies, private companies and non-profit organizations must strengthen and be more transparent about their cyber risk management programs. Public companies are likely to become more discriminating about the partners with whom they choose to work, looking for them to disclose detailed information like that proposed by the SEC about their cyber risk management programs.
6. Manage talent risk in the new world.?COVID-19, the “Great Resignation,” big tech layoffs, and “quiet quitting” have created a new set of dynamics for organizations striving to attract and retain talent for their organizations. Organizations with tainted reputations due to material cyber incidents will likely have a more difficult time with talent management, now a board issue. Existing workforce members and candidates may conclude that management and the board either don’t know or don’t care about managing cyber risks.?Who wants to work there??In general, members across the workforce will think twice.?Specific to cybersecurity talent, how competitive will your company be in attracting cybersecurity professionals in the face of the current shortage of 3.4 million cybersecurity workers worldwide?[11]
7. Manage the expectations of your board members from public companies. Many private and non-profit organizations benefit from having their board members serve as executives or directors of public companies.?As such, they bring to their private companies and non-profit organizations boards the order, process, and discipline around regulatory compliance they expect in their public companies. After all, all board members in all companies have fiduciary responsibilities. They see the value of transparency and its importance to all stakeholders.?They realize that public company requirements, like the proposed SEC cyber disclosure requirements, may be a harbinger for all organizations.

Some of the largest companies in the U.S. are private companies (think #1 Cargill $134.4B; #3 Publix Supermarkets $44.9B; #4 Mars $40B; #10 Fidelity Investments #21B).[12]?I fully expect that, while they may not have SEC reporting and disclosure requirements, they are very proactive in their efforts to deepen trust with all their stakeholders.?As a result, I would expect their Equity, Diversity, and Inclusion (ED&I), ESG, and Cyber Risk Management programs, among others, to be world-class.

Private and non-profit organizations should care about proposed SEC cyber disclosure requirements as a means to an end… better safeguarding of their information assets, and better outcomes for all their stakeholders.

Endnotes

[1] Statisca. "Comparison of the number of listed companies on the New York Stock Exchange (NYSE) and Nasdaq from 2018 to 3rd quarter 2022, by domicile". November 1, 2022. Available at https://www.statista.com/statistics/1277216/nyse-nasdaq-comparison-number-listed-companies/

[2] Small Business and Entrepreneurship Council. "Facts & Data on Small Business and Entrepreneurship." Accessed November 21, 2022. Available at https://sbecouncil.org/about-us/facts-and-data/?

[3] Zippier. "25 INCREDIBLE NONPROFIT STATISTICS [2022]: HOW MANY NONPROFITS ARE IN THE US?" November 13, 2022. Available at https://www.zippia.com/advice/nonprofit-statistics/

[4] EY. "Economic contribution of the US private equity sector in 2020." May 2021. Available at https://www.investmentcouncil.org/wp-content/uploads/ey-aic-pe-economic-contribution-report-final-05-13-2021.pdf

[5] WTW. "SEC enforcement is not just a public company concern: What private companies need to know." November 18, 2019. Available at https://www.wtwco.com/en-US/Insights/2019/11/sec-enforcement-is-not-just-a-public-company-concern-what-private-companies-need-to-know

[6] Katz, David A. McIntosh, Laura A., Lipton, Wachtell. Harvard Law School Forum on Corporate Governance. "The SEC Takes Aim at the Public-Private Disclosure Gap." January 28, 2022. Available at https://corpgov.law.harvard.edu/2022/01/28/the-sec-takes-aim-at-the-public-private-disclosure-gap/

[7] Forescout. "The role of Cybersecurity in M&A Diligence". 2019. Available at https://www.forescout.com/merger-and-acquisition-cybersecurity-report/?

[8] Nicole Lindsey. CPO Magazine. “Equifax downgrade shows the lasting financial impact of a massive data breach.” June 3, 2019. Accessed February 3, 2020. https://www.cpomagazine.com/cyber-security/equifax-downgrade-shows-the-lasting-financial-impact-of-a-massive-data-breach/

[9] Stupp, Catherine. WSJ. "Credit-Raters Look More Carefully at How Companies Respond to Cyberattacks." October 27, 2022. Available at https://www.wsj.com/articles/credit-raters-look-more-carefully-at-how-companies-respond-to-cyberattacks-11666863002

[10] U.S. Department of Health and Human Services. Business Associate Contracts.?Accessed November 21, 2022.?Available at https://www.hhs.gov/hipaa/for-professionals/covered-entities/sample-business-associate-agreement-provisions/index.html

[11] ISC2. "(ISC)2 CYBERSECURITY WORKFORCE STUDY 2022." October 17, 2022. Available at https://www.isc2.org//-/media/ISC2/Research/2022-WorkForce-Study/ISC2-Cybersecurity-Workforce-Study.ashx

[12] Murphy, Andrea. Forbes. "America's Largest Private Companies." Nov 23, 2021. Available at https://www.forbes.com/largest-private-companies/list/