A new SEC disclosure ruling requires all U.S. public companies to disclose cyberattacks. This adds a new level of complexity to risk management for any planners working with or for these companies.
Meeting planners have a chafing dish of responsibilities outside of just regular planning. In addition to RFPs, negotiations, A/V, F&B, speakers, registration, and room setup (to name a few), planners must also prepare for climate incidents, sustainability concerns, and safety issues. Now, many will need to add cybersecurity to that list.
The last thing anyone wants is to have to report a data breach of attendee data to the Security and Exchange Commission (SEC). But starting September 5, 2023, that’s exactly what the SEC requires. In its new disclosure ruling, all public companies must divulge when a cyberattack has occurred.
No one knows yet how this will play out and who it will impact. For example, publicly traded companies will be able to determine if a cyberattack has a material impact on its operations or valuation, according to an article by Robert Siciliano, a security and cybersecurity expert. But it may make things more complex, especially for meeting planners who have public companies as clients.
In his article, Siciliano provides a typical example of how this could impact someone in our industry: Let’s say a planner manages a meeting for a publicly traded company, and the planner suffers a data breach, exposing the email addresses, usernames, and login credentials of all conference attendees.
At this point, enforcement is nebulous, to say the least. But if the planner’s actions (or inactions) are the source of the incident for a client, it’s possible the SEC will investigate the planner and their cybersecurity policies. Don’t be surprised if a client requests or requires documentation on cybersecurity policies and procedures, training records, mitigation and response plans, and ongoing steps to prevent cyber attacks.
“We are likely to see paragraphs in contracts between groups and hotels or groups and registration, housing, and third-party planning companies that require those collecting and managing data about attendees to warrant that they have appropriate cybersecurity measures in place,” said Tyra Warner, Ph.D., JD, CMP, Dept Chair, Hospitality & Tourism, The Coastal College of Georgia. “We are also likely to see cybersecurity breaches or attacks become a specific issue raised in indemnification and hold harmless clauses,” she said.
The SEC felt a policy like this was needed because of the underreporting of cybercrimes and because current reporting, which mixes in other business concerns, did not provide enough data to shareholders. According to Siciliano, the SEC has extensive investigative capabilities, and its investigations can be lengthy, disruptive, and expensive.
For some planners, the new ruling could beg the question, what kind of information do we need to protect? And how do we do that?
“A few years ago, a client of mine shared with me that her attorneys said to be careful with sharing attendee’s dietary needs,” said Tracy Stuckrath, CSEP, CMM, CHC, owner and founder of thrive! meetings & events. “There were some people who had requested kosher meals. The attorneys said that information could possibly be used to target certain attendees.”
Does this mean planners need to revisit what they ask for on registration forms for emergency contact information or even food allergies? What information could a planner be liable for in the case of a cyberattack, especially for publicly traded client companies?
Planners might not need to hire a Chief Information Security Officer (CISO) yet. However, it may be reasonable for planners to include cybersecurity issues in their planning. They don’t have to be experts on technology, but they’ll have to make sure whoever is managing it is. One that will keep hackers out so that the SEC doesn’t come in.
Photo credit: Midjourney / Prompt: Cyberattack