Should the Securities and Exchange Commission (SEC) do more to guide companies in their disclosure obligations regarding cybersecurity risks? That was a key question that SEC commissioners asked at a March 26 roundtable discussion in Washington, DC, regarding cybersecurity issues, the challenges public companies face, and how they are addressing those concerns.
“The SEC’s formal jurisdiction over cybersecurity is directly focused on the integrity of our market systems, customer data protection, and disclosure of material information,” said SEC Chairman Mary Jo White. “But it is incumbent on every government agency to be informed on the full range of cybersecurity risks and actively engage to combat those risks in our respective spheres of responsibility.”
Panelists at the roundtable included representatives from broker-dealers, investment advisers, exchanges, and public companies. Although the SEC does not require companies to disclose cybersecurity risks and incidents, the agency did issue staff guidance in 2011 to public companies regarding disclosure obligations relating to cybersecurity risks and cyber incidents.
The SEC has also been under political pressure from Congress to establish formal guidance. In April 2013, Sen. Jay Rockefeller (D-WV) sent a letter urging White to issue formal guidance on disclosure of cybersecurity risks. White responded by noting that the SEC staff was reviewing public companies' disclosure of cybersecurity risks with an eye to whether additional guidance is needed.
For public companies, “there is a tremendous disincentive to disclose a breach,” Douglas Meal, a partner at the Boston office of Ropes & Gray LLP, told the commissioners at the roundtable meeting. He said revealing an incident that isn't otherwise public would make the issuer a target of class action plaintiffs and consumer protection regulators. “If the company doesn’t have a legal obligation to disclose it’s often not in their interest,” he added.
SEC commissioners also heard from industry representatives about phishing and malware concerns, wealth management risks, the challenges of putting in place robust information-sharing mechanisms to identify threats and execute timely counter-measures, the quickly changing nature of hacking techniques, and the importance of staff training and appropriate policies and procedures.
“The increased pervasiveness and seriousness of the cybersecurity threat raises questions about whether more should be done to ensure the proper functioning of the capital markets and the protection of investors,” said Commissioner Luis Aguilar. However, panelists urged caution because cyber attacks continue to evolve rapidly, and prescriptive requirements may be outdated before they can be implemented. Instead, panelists urged the SEC to consider principles-based guidance to help companies respond to increasing threats.