Assessing the Impact: Cyberattacks and New U.S. Reporting Rules
It’s inevitable: hackers will continue to attack U.S. companies.
And recent updates to Securities and Exchange Commission cybersecurity rules will require these targeted companies to provide new reporting content. Reporting to the SEC is no longer just about the details of the hacking incident, it now also includes impact.
The SEC has updated its reporting requirements to cover more about the potential effects of a cyberattack. Most public companies will be required to report material impacts to the SEC starting in December 2023.
While assessing the material impacts for SEC reporting purposes may be new, dealing with the impacts themselves are not. Cyberattacks increasingly cause major disruptions for organizations and companies. A few examples of impact:
Operational disruption. Downtime is lost time, and much more. Shutting down systems to contain an attack can cause missed deadlines, product shortages, and service interruptions. When standard business operations are disrupted, the impacts are like a shock wave, inflicting damage on your business as it spreads through an organization’s productivity and wreaking havoc on financial security.
Confidence and credibility. Cyberattacks damage reputation, and buyers’ trust is slow to rebound. Just one incident can permanently influence customer loyalty, potentially translating into reduced engagement and lost revenue. Impacts may include increased consumer turnover and the staggering cost of acquiring new business following an incident that diminishes reputation.
Financial impacts. When systems and data are compromised, there are direct and indirect financial impacts. While calculating lost revenue from a cyberattack is company-specific, it is often jaw-dropping. Among other financial impacts, investors may use information about an organization’s cyber breaches to drive decisions. A reduction in shareholder value is an example of a deep and long-term effect of a cyberattack. More immediately, a cyberattack may put a business in the unsavory position of deciding to pay a ransom. In the past few weeks alone, ransomware incidents ravaged hospitality business giants MGM Resorts and Caesars Entertainment, with Caesars paying a ransom of $15 million. These high-profile attacks overshadow the smaller companies that are also battling victimization and extortion at record levels: Companies both large and small are potential targets.
What should you do?
Given the magnitude of damage that can be caused by cyber attacks, one of the most important steps an organization can take: Create a company culture of cyber resilience. In every way, cybersecurity must go beyond the IT department and engage all of an organization’s leadership and all of its employees. Cyber resilience is no longer just about remediating an attack, it’s about building a comprehensive strategy that includes training, incident response, and constantly identifying weaknesses and mitigating areas of risk to protect your critical infrastructure.
Moruga has led clients through security, reliability, and performance enhancements that are state-of-the-art in the business technology community. Moruga is ready to partner with you – learn more about Moruga’s Cybhermetics™ approach to managing your company’s security.
Our professionals are ready to talk about your business’s specific cyber security needs – connect now.