On Friday, in remarks before the L.A. County Bar Association, SEC Commissioner Elad Roisman addressed some of the challenges associated with cybersecurity and cyber breaches and similar events. In his presentation, Roisman considers cybersecurity in a variety of contexts, such as the exchanges, investment advisers and broker-dealers, but his discussion of cybersecurity in the context of public companies is of most interest here. Although the SEC has imposed some principles-based requirements and issued guidance about cybersecurity disclosure, Roisman believes that there is more in the way of guidance and even rulemaking that the SEC should consider “to ensure that companies understand [the SEC’s] expectations and investors get the benefit of increased disclosure and protections by companies.”
Cyber threats cover a broad territory, Roisman explains: they may involve “simple account intrusions that seek to steal assets from an investor’s or customer’s accounts; ransomware attacks that seek to disable business operations in order to extract payments; and even acts of ‘hacktivism’ that disrupt services to make a political point. Cyber events can often be hard to detect, hard to measure quickly, and can involve reporting obligations to multiple government agencies and stakeholders.”
While public companies have general disclosure obligations under the securities laws, they may also have responsibility for “taking measures to prevent and mitigate damage from these threats.” Roisman observes that “it has become increasingly important for market participants to work with counsel and other experts on preparing for potential cyber-attacks before they happen—that is, devising a plan for monitoring for cyber threats, responding to potential breaches, and understanding when information must be reported outside the company and to whom.”
With regard to disclosure guidance, although there is currently no explicit disclosure mandate regarding cybersecurity risks and cyber incidents, Roisman observes, the SEC did issue guidance in 2018 that makes clear that companies may be obligated to disclose these risks and incidents under Reg S-K and Reg S-X, which require disclosure regarding risk factors, business and operations, MD&A and other matters. A “necessary prerequisite” to providing timely and adequate disclosure, according to Roisman, is the adoption and implementation of effective disclosure controls and procedures, which in turn rely on “engaged and informed officers, directors and others.”
Cybersecurity, Roisman notes, can also implicate internal control over financial reporting, pointing to the SEC’s 2018 21(a) report regarding nine companies that were victims of cyber fraud as a result of their employees’ wiring funds to pay phony “invoices” in response to deceptive electronic communications.
And Roisman observes, Enforcement also “brought two notable settled actions this summer involving public companies’ disclosures regarding cybersecurity incidents.” Here, Roisman pointed to recent cases against First American Financial Corporation and Pearson plc.
Finally, Roisman highlights the appearance on the SEC’s most recent regulatory agenda of potential rulemaking regarding cybersecurity. (See this PubCo post.) While he disclaims having set eyes on any draft proposal, he has some ideas of his own that he hopes to see in the anticipated proposal, including these points:
“First, we need to define any new legal obligations clearly. Second, we need to make sure that these obligations do not create inconsistencies with requirements established by our sister government agencies. Third, we should recognize that some registrants have greater resources than others, and we should not try to set the resource requirements for an entity. And finally, because issuers’ businesses vary, the cybersecurity-related risks they face also will vary, and therefore a principles-based rule would likely work best.”
In particular, Roisman emphasizes the importance of working with other regulators, law enforcement and the national security community to ensure that the proposal from the SEC would not conflict with their mandates, such as an admonition against disclosure by law enforcement or national security agencies. He also cautioned that any disclosure requirements should be focused on eliciting material information and tailored to avoid disclosure of a “roadmap for how to infiltrate a registrant’s systems.”
In conclusion, Roisman offers some ideas that companies could consider undertaking right now. For example, companies might want to identify in advance experts that that they can call in the event of a cyber-incident. In his view, that type of effort would show “prudence and diligence.” Another proactive way to mitigate potential harm would be to conduct table-top exercises. While these activities will not necessarily cover every circumstance, “they offer a level of procedures and pro-active measures that a company can undertake in recognition of this potential risk.”