Where Does the SEC Stand on I-9 Security?

These days, we’re reading more and more about the Securities Exchange Commission’s (SEC) efforts in guiding how corporations report on risks. In March we discussed the intersections I-9 compliance would have on SEC considerations. In May, we were one of the first to report on the SEC serving Chipotle with a subpoena to produce documents related to its I-9 compliance.

Historically, SEC regulations required companies to accurately report on financial liabilities that are deemed “material risks” that ultimately influence investors and shareholders. As our society evolves into the digital age, companies have followed and so has the SEC’s interpretation of what qualifies as a “material risk,” which has expanded to include cybersecurity threats. This is where public corporations must beware.

Which Direction is the SEC Headed?

Last October, the SEC’s Division of Corporate Finance released a Disclosure Guidance on cybersecurity as an instructive document. The document does not have the force of law, but its provisions offer an important glimpse into the government’s future direction. Mainly, the SEC wants corporations to be more open about reporting on its financial statements its cybersecurity risks, short of publicly revealing a “roadmap” for its cybersecurity vulnerabilities.

Although the Disclosure Guidance is not new guidance or mandatory on public corporations, the string of cybersecurity breaches this year alone has Congress scrambling to draft legislationimposing onto public corporations a requirement to disclose cybersecurity risks.

How It Affects Public Corporations

A cybersecurity breach, whether of proprietary data, employee data, or client data, can be very costly to a corporation. Breaches could result in any of the following:

  • Loss or theft of financial assets
  • Loss or theft of intellectual property
  • Loss or theft of client or partner data
  • Substantial costs in remediation (credit report monitoring, etc.)
  • Substantial Costs in increased cybersecurity (including organizational changes)
  • Loss or training of employees
  • Loss of customers
  • Cost of litigation
  • Reputational injury affecting customers
  • Reputational injury affecting investors

Although security breaches to an organization’s electronic I-9 and E-Verify data might not lead directly to the loss of client data to be considered a “material risk,” any cybersecurity breach can be symptomatic of deeper vulnerabilities at a corporation triggering further scrutiny by the SEC. The following five risk factors outlined in the Disclosure Guidance by the SEC serves as a helpful guide:

Risk Factor 1: “Discussion of the aspects of [ ] business or operations that give rise to material cybersecurity risk and other potential costs and consequences.” Public organizations following best practice protocols when it comes to conducting due diligence of its electronic I-9 and E-Verify software vendors will have a better understanding of the level of security their vendors are providing. Due diligence requires asking multitude of meaningful questions including those related to cybersecurity protection by a vendor.

Risk Factor 2: “Outsourced functions that have material cybersecurity risks, description of those functions and how they are addressed.” Locating a compliant electronic I-9 or E-Verify vendor may be difficult but is that same vendor then outsourcing critical functions within their organization? Be sure to ask this during your due diligence. Your organization is only as strong as your weakest link.

Risk Factor 3: Material cyber incidents that result in costs and other consequences. Cybersecurity incidences or breaches that result in meaningful financial or other consequential costs may warrant disclosure on financial reports. Thus, understanding your vendors’ cybersecurity history, the strength of their security offerings, including cyber-insurance, is a good policy to adopt.

Risk Factor 4: “Risks related to cyber incidents that may remain undetected for an extended period.” Latent cybersecurity threats from a vendor won’t be identified unless your organization partners with critical teams members who understand this arena and can ask the right questions (e.g.: Chief Security Officer, Chief Information Security Officer, or the Information Technology Team).
Risk Factor 5: Description of relevant insurance coverage. Public organizations engaged in the digital management or processing of highly sensitive (and even personally identifiable data) should be ready to invest in relevant cybersecurity insurance. At the very least, partnering with an electronic I-9 and E-Verify organization that is already equipped with cybersecurity insurance is another step in reducing risk. Although the pending legislation may not be passed in this Congressional term, the likelihood of Congress passing some form of legislation mandating certain cybersecurity disclosures probably won’t be too far in the future. Will your organization be prepared? Want to read more? Sign up for our newsletter to stay updated on I-9 and E-Verify news and updates.