In an address to the Northwestern Pritzker School of Law’s Annual Institute of Securities Regulation yesterday, SEC Chairman Gary Gensler addressed cybersecurity as it relates to securities laws. Gensler suggests the economic cost of cyberattacks could be in the trillions of dollars, taking many forms, including denial of service, malware, and ransomware. It is also a matter of national security. He recalls that “cybersecurity is a team sport” and that the private sector is often on the front line. Given the frequency of cybersecurity incidents, the SEC is “working to improve the overall cybersecurity posture and resilience of the financial industry.” For Gensler, the SEC’s cybersecurity policy has three components: “cyber hygiene and preparedness; reporting cyber incidents to the government; and in certain circumstances, disclosure to the public. In his remarks, Gensler considered cybersecurity in a variety of contexts, including SEC registrants in the financial industry, such as broker-dealers, investment firms, registered investment advisers, and other market intermediaries; service providers and the SEC itself, but his discussion of cybersecurity in the context of public companies is most interesting here.
Regarding public companies, Gensler viewed the basic market as follows: “Investors decide what risks they want to take. Companies that raise funds from the public have an obligation to regularly share information with investors. But the nature and extent of disclosure are not static; it evolves over time and “cybersecurity is an emerging risk that public issuers must increasingly deal with”. As a result, Gensler asked staff to make recommendations regarding “corporate cybersecurity practices and disclosure of IT risks. This may include their cybersecurity governance, strategy and risk management practices. Although many companies already disclose cyber risks, Gensler believes companies and investors would benefit from information presented in a “consistent, comparable, and decision-useful” manner. These recommendations would also address whether and how to update information provided by companies to investors when cyber events have occurred. To be safe, he noted, companies are already obligated to disclose events, such as customer data theft and ransomware, that may be material to investors. This point has been reinforced by recent implementing measures.
[Below based on my notes, so standard caveats apply.]
In the high-level panel following Gensler’s speech, which included former SEC Chairman Mary Jo White, former SEC Commissioners Robert Jackson and Troy Paredes, former Chief Enforcement Officer Stephanie Avakian and former Corp Fin director Bill Hinman, Avakian noted that the SEC has recently filed cases (described above) regarding cybersecurity issues: First American Financial, which it called a “message case.” , related to inadequate disclosure controls, while Pearson was a more standard misstatement case involving a hypothetical risk factor. The panel also noted the SEC’s 2018 cybersecurity guidance, as well as its Section 21(a) investigation report regarding cyber threats and internal accounting controls.
White noted that prescribing mandatory rules for disclosure could be a “heavyweight,” and Hinman agreed that crafting prescriptive disclosures in this context would be difficult. He also noted that cybersecurity disclosure was on the SEC’s most recent short-term reg-flex agenda. (See this PubCo article.) Hinman said he heard the idea of making a cybersecurity incident an 8-K reporting requirement, as well as a discussion about insider trading controls disclosure. and board cybersecurity expertise and oversight. Paredes observed that disclosure requirements can certainly impact conduct.
A subsequent panel of general counsels noted that cybersecurity may require an enterprise-wide approach. One of the CGs highlighted the importance, in the event of a cybersecurity incident, of ensuring that the team is not dealing with speculation but dealing with the facts of the situation – the facts often turn out to be very different from the initial speculation. The panel also discussed the need for tabletop exercises. Several panelists also noted that defining business priorities in advance can be particularly helpful in the urgency of a cybersecurity incident.
[View source.]
Comments are closed.