In remarks on Thursday of last week to the Tulane Corporate Law Institute, SEC Commissioner Robert Jackson discussed what he termed to be “the most pressing issue in corporate governance today: the rising cyber threat.” To support his characterization, Jackson reports that, in 2016, there were over 1,000 data breaches with an aggregate cost of over $100 billion, according to the Identity Theft Resource Center. And the issue has “rocketed to the top of the corporate agenda”: “One recent study showed that nearly two-thirds of executives identified cyber threats as a top-five risk to their company’s future. That shows how quickly this has become a board-level issue.”
But how to grapple with this problem? Jackson contends that “the cyber threat is not primarily a regulatory issue any more than it is primarily a technological issue. Cybercrime is an enterprise-level risk that will require an interdisciplinary approach, significant investments of time and talent by senior leadership and board-level attention. In short: the cyber threat is a corporate governance issue. The companies that handle it best will have relevant expertise in the boardroom and the C-suite, a strategy for engagement with investors and the public, and—most of all—sound advice from corporate counsel who can navigate uncertain times and uncertain law in a critical area for the company’s business.”
Jackson then proceeded to describe three areas that demanded attention, essentially paralleling the SEC’s new cybersecurity guidance: disclosure, insider trading and controls and procedures. (See this PubCo post and this Cooley Alert.) With regard to disclosure, Jackson approved the issuance of the SEC guidance, but with reservations, indicating that he thought more was necessary. In particular, he advocated adoption of an 8-K disclosure requirement in the event of a material cyber incident. Jackson worried that the types of judgments required under the guidance “have, too often, erred on the side of nondisclosure, leaving investors in the dark—and putting companies at risk.” In a study by Jackson and his staff, in 2017, 97% of companies that suffered data breaches did not file an 8-K, although he acknowledged that it was likely that not all of those incidents were material.
Jackson worried that empirical studies have shown that information asymmetry about cyber incidents persists. One reason is that other regulations—not related to the securities laws—often require notification to consumers. What’s more, academic studies have found “negative and significant stock-price reactions for firms that are victims of cyber attacks,” and one study found “systematic evidence of arbitrage opportunities when traders learn of cyber breaches that have not yet been disclosed.” Jackson urged that counsel encourage their boards to be transparent in this area, noting that boards face exposure to litigation in the event of incidents.
With regard to insider trading, Jackson viewed it as “alarming when reports of a breach are accompanied by reports of insider trading. It is deeply troubling that insiders may have been able to profit in this way, regardless whether those specific insiders knew about the breach before engaging in such trading.” His response is twofold: first, boards should ensure that senior management share critical information early and often with their colleagues so that when any member of the senior management team learns material nonpublic information about a cyber event, all members of the team avoid trading. Second, the insider trading laws should be reviewed to ensure that they address traders that take advantage of nonpublic information about a breach, even when the trader is not a corporate insider. More specifically, his concern is that financially motivated hackers will seek to profit themselves by trading before the investing public discovers what they have done.
With regard to controls and procedures related to cybersecurity, Jackson recognized that development of effective systems is a “significant challenge” for most companies. The problem he identifies here is that the “technologists,” who best understand the cyber threats, are typically in a separate silo from the lawyers and business people who would typically be involved in developing controls and procedures: “One recent survey noted that 70% of executives at the S&P 500 named their IT department as a primary owner for cyber risk management—compared to just 37% who identified the C-suite or the board. The same survey noted that, especially at large and growing companies, responsibility for these issues is often scattered throughout the organization, creating the risk that key information might not make its way to the decisionmakers who need it most.” Counsel, he urged, “are critical to helping companies build the internal reporting structure that will help boards and management better anticipate, assess, and, where necessary, disclose the next significant cyber attack.” But to address the issue, ”ambassadors” will be necessary: counsel “might even have to sit in front of a computer and open a program other than Microsoft Word.” Jackson reminded the lawyers in the audience that they had previously acted as ambassadors, but in a different context: after SOX was passed, lawyers were compelled to reach across the knowledge and culture divide to delve into the “Byzantine, complex, intimidating, and critical” discipline of accounting.