Impacts of SEC Cybersecurity Disclosure Rule

Written By Mary Guzman

My cyber and IP friends::
This is a great article by Hilary Tuttle Risk Management Magazine talking about the potential impact of the new SEC Cybersecurity Disclosure Rule. I've written about and created a short video discussing this already, but it is worth continuing to point out that these rules demand that any risk that may be "material" to the organization's future earnings must be a) identified and "risk managed" properly and b) any breach involving such must be disclosed via 8k filing.

Trade Secret Assets (TSAs), particularly corporate #crownjewels create true competitive advantage for your company and ARE material. Therefore, it will be nearly impossible for a company to say they have addressed cyber risk to all material assets (not including PII and PHI which are not trade secrets) if they have not identified and segregated their #tradesecrets from other data via their asset classification protocols. Once identified (and ideally valued at least relative to each other), robust measures must be applied to show a judge or jury that these are, in fact, more valuable than other assets.

According to sources cited (Deloitte and PwC surveys, etc), many companies don't feel great about their ability to combat cyber crime/incidents and even more don't have proper Board representation. The stats would be MUCH worse if the questions were specifically about TSAs since most companies have no formal trade secret risk management process.

Yet, Companies spend on average close to 3 years and $4.2 Million trying (and often failing) to protect their exclusive rights to these assets AFTER they've been stolen (for a single TSA worth only $10M - $20M)! That's like not assessing what buildings are on the coast or the loss control measures you have in place to prevent Wind and Storm Surge, and then running in after the storm to see what's left standing. There's no insurance of course (in this analogy), so you sue the builder?? No company would do that. (I grant you this vastly oversimplifies the ease with which a company can identify all of its trade secrets, but still...).

There are hundreds of cases where (what should be) trade secrets are taken, but the victim either a) has no idea they were taken because their DLP plan doesn't identify "trade secrets", b) can't prove their were taken, c) they didn't identify them as a trade secret before the theft and therefore they haven't used "reasonable measures" to protect them, d) cannot prove that they were "independently developed"...or some other factual/evidence based issue. Companies can and do go bankrupt over this!

For highly innovative companies without much in the way of tangible assets, this is a far bigger risk than a BI loss from a ransomware event or a breach of PII. I think this is what the SEC is after....and rightly so.

Article: https://www.rmmagazine.com/articles/article/2023/12/01/sec-cyber-rules-signal-new-enforcement-plans

Mary Guzman

Founder and CEO of Crown Jewel® Insurance.

Previous

Deloitte survey finds lack of protection around Trade Secrets still a problem. The SEC is watching
Next

Press Release:CJI SECURES ADDITIONAL REINSURERS FOR TRADE SECRET POLICY