Publication - 03/31/2014

SEC Holds Cybersecurity Roundtable

Client Alert

By Mark H. Sosnowsky and Gregory A. Mason

On Wednesday, March 26, 2014, the Securities and Exchange Commission conducted a roundtable discussion on cybersecurity and the issues and challenges cyber-threats present for public companies, exchanges, and market participants. The roundtable consisted of four separate panel discussions and included participants from the SEC, Department of the Treasury, the National Security Council, the Department of Commerce, and the Department of Homeland Security, as well as data security experts and representatives of public market participants and broker-dealers.  

Cybersecurity is a critical issue for businesses and markets, and the SEC’s recognition of this is reflected by the scheduling of the roundtable itself, the participation of all the Commissioners and senior staff, as well as much of the SEC’s comments during the day.  The SEC Commissioners and staff who participated emphasized that cybersecurity is a high priority for the Commission and is integral to maintaining the integrity of markets, protecting consumer and investor data, and preventing identity theft.   

A central theme throughout the roundtable was whether the SEC is providing adequate guidance for public companies.  The SEC expressed its disapproval of boilerplate cyber-risk disclosures, but there was also discussion of the risk that overly detailed disclosures could provide a roadmap that may unintentionally increase the risk of data breaches.  This is an area where judgment and balance are essential, and the SEC is currently analyzing whether it needs to provide further guidance on where that balance should be found.   Although the Commission did not issue any new formal guidance during the roundtable, there were several takeaways from the discussion:

  • Dynamic and Continuing Risks:  Cybersecurity is not a peripheral technology issue, but a key business issue that needs to be understood by leadership and employees alike, particularly in industries that collect vast amounts of sensitive customer data, such as retailers or financial services companies.  Cybersecurity threats are variable and dynamic and may emerge from a variety of sources, including political “hacktivists,” criminals and thieves out for financial gain, terrorists, and even foreign nation-states.  Accordingly, cyber-threats should not be considered a problem to overcome, but a continuing risk that must be managed. 
  • No Checklist for Proper Cybersecurity Compliance:  There is no “one size fits all” approach to cybersecurity and there is no “compliance checklist.”  There are, however, many industry best practices that may help companies avoid and mitigate cyber-threats, including vulnerability scans, penetration testing, simulated attack exercises, monitoring all intruders, ring-fencing company data, information sharing, and top-down communication of cybersecurity risks and policies.  Companies should give careful consideration to what practices among these and others match their risk profiles. One important resource in developing cybersecurity policies in line with industry best practices is the voluntary Framework developed by the National Institute of Standards and Technology for critical infrastructure sectors, which was released in February 2014. Drinker Biddle thoroughly detailed the Cybersecurity Framework in a previous client alert.
  • Public Companies Must Consider Whether Cybersecurity Risks and Attacks are Material:  Although public companies are not required to disclose all cyber-threats or attacks, cybersecurity issues are subject to the same “materiality” standards that govern other SEC disclosures.  Thus, public companies must give careful consideration to the nature and severity of cyber-attacks and associated risks when assessing their disclosure requirements.  When disclosure is required, companies should avoid “boilerplate” disclosures and aim to provide a meaningful disclosure, which signals that the company has focused on its particular business to identify possible cyber-risks, without providing a “roadmap” to a company’s cybersecurity vulnerabilities that could be exploited by other bad actors.  Although the Commission has not yet provided a formal statement on disclosure, the Division of Corporation Finance’s 2011 guidance regarding public company disclosure of cybersecurity risks and cyber incidents provides valuable advice on such disclosures.

Possible Additional Guidance: Commissioners and staff did not announce that additional rulemaking or guidance will be immediately forthcoming, but did suggest that it expected to move ahead with previously proposed regulation that would require securities exchanges and clearing agencies to meet specified standards with respect to their computer and data systems.  Moreover, the Commission is reviewing how it can provide further guidance on cybersecurity, particularly in order to ensure meaningful non-boilerplate disclosures, encourage information sharing, and further develop industry best practices.

The Viability of the Equitable Mootness Doctrine in the Third Circuit: A Moot Point?

Client Alert
Marita S. Erbeck

By Marita S. Erbeck and Jennifer M. Roussil In the bankruptcy context, effectively appealing an order confirming a debtor’s plan of reorganization is not always a sure bet, as a court may refuse to entertain the appeal in the name of equitable mootness.  Equitable mootness – “a judge-made abstention doctrine that allows a court to avoid hearing the merits of a bankruptcy appeal because implementing the requested relief would cause havoc”[1] – empowers a ...

What Does the Supreme Court's Same-Sex Marriage Ruling Mean for Employee Benefit Plans?

Client Alert
Summer Conley, Robert L. Jensen, Sarah Bassler Millar

On June 26, 2015, the U.S. Supreme Court ruled in Obergefell v. Hodges that states must license and recognize a marriage between two people of the same sex.

WTO Members Agree to Cut Tariffs on IT Products

Client Alert
Kathleen M. Murphy, Mollie D. Sitkowski

On Friday, July 24, 2015, the World Trade Organization (WTO) announced that more than 50 of its member countries had agreed to cut tariffs on hundreds of information technology (IT) products.

Something Old, Something New: Accounting for Accountable Care in Antitrust Analysis

Health Law Handbook
Robert W. McCann

In this chapter, Rob illustrates the tension between antitrust enforcement and clinical collaboration models under the Affordable Care Act, discusses the St. Luke’s decision, and explores the intersection between health care delivery reform and antitrust law.

Senate Passes Another Criminal Antitrust Anti-Retaliation Act July 30, 2015

Client Alert
Todd N. Hutchison, Paul H. Saint-Antoine, Ronald A. Sarachan, James J. Williamson II

The Senate recently passed with unanimous consent the Criminal Antitrust Anti-Retaliation Act of 2015 (“CAARA”) after minor tweaks to two definitions. CAARA provides anti-retaliation protection to whistleblowers who give information to their employer or the federal government concerning criminal violations of antitrust laws.