Exploring the SEC's Cybersecurity Rules - The Price of Insecurity (Part 4)

How Cybersecurity Incidents Impact Stock Prices and the New SEC Cybersecurity Ruling

The consequences of a cybersecurity incident extend beyond compromised data and damaged reputation; they can also significantly impact a publicly traded company's stock price. This blog will explore how cybersecurity incidents can negatively impact stock prices and the Securities and Exchange Commission's (SEC) new cybersecurity ruling, which aims to address this growing threat.

The Connection Between Cybersecurity Incidents and Stock Prices

1. Immediate Stock Price Drop: When a company experiences a cybersecurity incident, it often leads to an instant drop in its stock price. Investors panic as they fear the potential financial and reputational damage that can follow such incidents. This drop can be substantial, depending on the severity of the breach and the company's response.
2. Loss of Customer Trust: Cybersecurity incidents erode customer trust, which can result in reduced revenues. Customers worry about the safety of their data and may take their business elsewhere. This loss of revenue and potential long-term damage to the customer base can further depress a company's stock price.
3. Legal and Regulatory Costs: Dealing with the aftermath of a cybersecurity incident involves significant legal and regulatory costs. Companies may face fines, lawsuits, and the expense of implementing new security measures. These costs can negatively impact a company's financial health and, subsequently, its stock price.
4. Reputation Damage: The impact on a company's reputation can be long-lasting. Investors take into account a company's brand image, and a tarnished reputation can lead to a loss of shareholder confidence, resulting in a decline in stock value.
5. Operational Disruption: Cybersecurity incidents can disrupt a company's operations, causing downtime and affecting production. This disruption can result in lower revenue and profitability, causing investors to reevaluate the company's stock.

The SEC's New Cybersecurity Ruling & Financial Impact

Recognizing the increasing threat that cybersecurity incidents pose to investors and the financial markets, the SEC introduced new cybersecurity disclosure requirements. These requirements aim to enhance transparency and help investors make informed decisions regarding the cybersecurity risks associated with their investments as determined by the shortfall in stock prices and dividends.

Another financial impact often comes in the form of penalties for negligence and non-compliance. Specific to the new SEC rules, there are currently no formal details of penalties or repercussions for failing to meet either of the two requirements of Cyber Risk Management and Incident Disclosure. However, it is expected that this may change in the near future. 

Key Aspects of the SEC's Cybersecurity Ruling

1. Enhanced Disclosures: Publicly traded companies are now required to provide more detailed disclosures about their cybersecurity risks and incidents in their annual and quarterly reports, as well as an 8-K, four days following the time in which they learn of the cybersecurity event, including information on the potential financial and operational impact of the incident.
2. Timely Reporting: Companies must promptly report material cybersecurity incidents to the SEC and investors, ensuring that investors receive timely information about potential risks.
3. Board Oversight: The SEC encourages companies to have board-level oversight of cybersecurity risk management. This signals the importance of cybersecurity at the highest levels of an organization.
4. Internal Controls: Companies are expected to establish and maintain effective internal controls to assess and mitigate cybersecurity risks.

Impact on Stock Prices

An example of how a cybersecurity incident can negatively impact the stock price of a publicly traded company can be seen in the recent MGM casino cyber-attack. On Friday, just hours before the attack, MGM Resorts International closed on the NYSE (MGM) at 43.74 with a market cap of $15.35B. Today (9/25/23), MGM is trading at 36.74 with a market cap of $12.9B. This incident represents a loss in market cap of 16%, which equates to $2.45B.

Las Vegas Review-Journal has estimated that MGM Resorts International is losing between $4.2 million and $8.4 million in daily revenue and around $1 million in cash flow every day. More details will surface as MGM is going to file an 8-K notice with the SEC, given that the event has a material effect on their businesses.

Another recent event that is testing the new SEC disclosure requirements is Clorox. On August 14^th, Clorox disclosed on its website that it had been the victim of a hack that impacted several critical systems. Since then, Clorox has also filed an 8-K. Weeks later, Clorox further stated that it had to resort to manual processes while systems were being repaired, resulting in fewer orders being processed, which means fewer Clorox products are making their way to stores. 

The stock price of Clorox has fallen from 160.17 (8/14/23) to 132.32 (9/25/23). This breach represents a loss in market cap of 17%, which equates to $3.42B.

Conclusion

Cybersecurity incidents pose a significant threat to publicly traded companies, with significant potential to negatively impact their stock prices. The SEC's new cybersecurity ruling represents a crucial step toward addressing these risks by increasing transparency, accountability, and investor protection. Investors and companies alike must recognize the growing importance of cybersecurity in today's interconnected world and adapt their strategies accordingly to safeguard their data and investments.

CimTrak provides a critical role for organizations needing to comply with the SEC's new cybersecurity risk management and incident disclosure rules. It is a powerful ally in the constant fight against cyber threats and provides the necessary evidence from a compliance perspective. It offers real-time monitoring, compliance auditing, configuration management, and incident response capabilities, ensuring the protection of sensitive financial data and preserving investor trust. Learn how CimTrak can simplify your security requirements and provide continuous compliance with this new rule by visiting https://www.cimcor.com/ .

Disclaimer: This blog article is only a brief summary of the new Cybersecurity Risk SEC rule and does not constitute legal advice. Should you encounter a situation that constitutes a Cybersecurity Incident or any matter touched upon in this article, you should consult with legal counsel having experience in this area of the law and not rely on the information provided in this article.