In remarks delivered in 2022 before the Northwestern Pritzker School of Law’s Annual Securities Regulation Institute, SEC Chair Gary Gensler reminded us that “cybersecurity is a team sport,” and that the private sector is often on the front lines. (See this PubCo post.) He might have said the same thing about cyber resilience—the topic of a Financial Times summit held last month and the subject of remarks delivered to that audience by Gurbir Grewal, the current SEC Director of Enforcement. What is cyber resilience? As defined by Grewal, it’s a concept that assumes that “breaches and cyber incidents are likely going to happen, and that firms must be prepared to respond appropriately when they do. In other words, it’s not a matter of if, but when.”
Internal auditors are worried that boards are not paying enough attention to—wait for it—internal auditors. Probably most often, we consider the internal audit function in the context of financial reporting, but its brief can extend to many other risk areas. To be sure, the speed of technological development and disruption has accelerated the development of risks—exhibit one being the development of the internet, which has led to risks related to cyberattacks and privacy. A 2019 report regarding a survey by the Institute of Internal Auditors of over 500 chief audit executives (CAEs) concluded that these developments “place an even higher value and urgency on assuring that boards have complete and accurate information on which to base their decisions…. In today’s dynamic risk environment, CAEs must do more than simply understand and fall in line behind the board’s view on risk. This new outlook must center on assuring the board has a comprehensive and unencumbered understanding of the organization’s risk universe.” Nevertheless, according to the President and CEO of the IIA, CAEs responding to the survey said that “internal audit rarely reviews information provided to the board, with 6 in 10 [CAEs] reporting they provide such assurance only for unusual situations, or never.” As a result, there were “serious questions about whether internal audit’s insights and recommendations are getting through to boards.”
In a speech given yesterday at Columbia University, SEC Chair Jay Clayton reviewed the SEC’s regulatory achievements over the past year, metaphorically slapping the SEC and the staff on the back for a job well done in accomplishing 88% of the items identified on the SEC’s near-term agenda for fiscal 2018. Of particular interest, however, was his discussion of the some of the priority items on the 2019 agenda. In closing, Clayton hammered again at three risk areas that the SEC is currently monitoring—yes, those three. Clearly, the signal is that companies should consider these risks.
SEC issues Section 21(a) investigative report regarding the implications of cyberscams for internal controls
Today, the SEC issued an investigative report under Section 21(a) that advises public companies subject to the internal accounting controls requirements of Exchange Act Section 13(b)(2)(B) of the need to consider cyber threats when implementing internal accounting controls. The report investigated whether a number of defrauded public companies “may have violated the federal securities laws by failing to have a sufficient system of internal accounting controls.” Although the SEC decided not to take any enforcement action against the nine companies investigated, the SEC determined to issue the report “to make issuers and other market participants aware that these cyber-related threats of spoofed or manipulated electronic communications exist and should be considered when devising and maintaining a system of internal accounting controls as required by the federal securities laws. Having sufficient internal accounting controls plays an important role in an issuer’s risk management approach to external cyber-related threats, and, ultimately, in the protection of investors.”
The Center for Audit Quality has just issued Cybersecurity Risk Management Oversight: A Tool for Board Members. The tool offers questions that directors can ask of management and the auditors as part of their oversight of cybersecurity risks and disclosures. The questions are designed to initiate dialogue to clarify the role of the auditor in connection with cybersecurity risk assessment in the context of the audit of the financial statements and internal control over financial reporting (ICFR), and to help the board understand how the company is managing its cybersecurity risks.
Yesterday, the SEC announced that it had adopted—without the scheduled open meeting, which was abruptly cancelled with only a cryptic statement—long-awaited new guidance on cybersecurity disclosure. The guidance addresses disclosure obligations under existing laws and regulations, cybersecurity policies and procedures, disclosure controls and procedures, insider trading prohibitions and Reg FD and selective disclosure prohibitions in the context of cybersecurity. The new guidance builds on Corp Fin’s 2011 guidance on this topic (see this Cooley News Brief), adding in particular new discussions of policies and insider trading. While the guidance was adopted unanimously, some of the Commissioners were not exactly enthused about it, viewing it as largely repetitive of the 2011 guidance—and hardly more compelling. Anticlimactic? See if you agree.
Even though, in the wake of recent events, cybersecurity is a very hot topic, only 38% of U.S. public companies cite cybersecurity as a risk factor in their annual and quarterly SEC filings, according to a recent study from Intelligize. The study showed that, while only 426 public companies cited cybersecurity as a risk in 2012, that number grew to 1,662 in 2016. However, so far in 2017, the number has been relatively flat at 1,680. But the question remains, how long will that continue?
Summarized below are some of the highlights of the 2017 PLI Securities Regulation Institute panel discussions with the SEC staff (Michele Anderson, Wesley Bricker, Karen Garnett, William Hinman, Mark Kronforst, Shelley Parratt, Ted Yu), as well as a number of former staffers and other commentators. Topics included the Congressional and SEC agendas, fresh insights into the shareholder proposal guidance, as well as expectations regarding cybersecurity, conflict minerals, pay ratio disclosure, waivers and many other topics.
PwC’s 2017 Annual Corporate Directors Survey shows directors “clearly out of step” with institutional investors on social issues
In its Annual Corporate Directors Survey for 2017, PwC surveyed 886 directors of public companies and concluded that there is a “real divide” between directors and institutional investors (which own 70% of U.S. public company stocks) on several issues. More recently, PwC observes, public companies have been placed in the unusual position of being called upon to tackle some of society’s ills: in light of the “new administration in Washington and growing social divisiveness, US public company directors are faced with great expectations from investors and the public. Perhaps now more than ever, public companies are being asked to take the lead in addressing some of society’s most difficult problems. From seeking action on climate change to advancing diversity, stakeholder expectations are increasing and many companies are responding.” But apparently, many boards are not taking up that challenge; PwC’s “research shows that directors are clearly out of step with investor priorities in some critical areas,” such as environmental issues, board gender diversity and social issues, such as income inequality and employee retirement security.