Publication - 03/31/2014

SEC Holds Cybersecurity Roundtable

Client Alert

By Mark H. Sosnowsky and Gregory A. Mason

On Wednesday, March 26, 2014, the Securities and Exchange Commission conducted a roundtable discussion on cybersecurity and the issues and challenges cyber-threats present for public companies, exchanges, and market participants. The roundtable consisted of four separate panel discussions and included participants from the SEC, Department of the Treasury, the National Security Council, the Department of Commerce, and the Department of Homeland Security, as well as data security experts and representatives of public market participants and broker-dealers.  

Cybersecurity is a critical issue for businesses and markets, and the SEC’s recognition of this is reflected by the scheduling of the roundtable itself, the participation of all the Commissioners and senior staff, as well as much of the SEC’s comments during the day.  The SEC Commissioners and staff who participated emphasized that cybersecurity is a high priority for the Commission and is integral to maintaining the integrity of markets, protecting consumer and investor data, and preventing identity theft.   

A central theme throughout the roundtable was whether the SEC is providing adequate guidance for public companies.  The SEC expressed its disapproval of boilerplate cyber-risk disclosures, but there was also discussion of the risk that overly detailed disclosures could provide a roadmap that may unintentionally increase the risk of data breaches.  This is an area where judgment and balance are essential, and the SEC is currently analyzing whether it needs to provide further guidance on where that balance should be found.   Although the Commission did not issue any new formal guidance during the roundtable, there were several takeaways from the discussion:

  • Dynamic and Continuing Risks:  Cybersecurity is not a peripheral technology issue, but a key business issue that needs to be understood by leadership and employees alike, particularly in industries that collect vast amounts of sensitive customer data, such as retailers or financial services companies.  Cybersecurity threats are variable and dynamic and may emerge from a variety of sources, including political “hacktivists,” criminals and thieves out for financial gain, terrorists, and even foreign nation-states.  Accordingly, cyber-threats should not be considered a problem to overcome, but a continuing risk that must be managed. 
  • No Checklist for Proper Cybersecurity Compliance:  There is no “one size fits all” approach to cybersecurity and there is no “compliance checklist.”  There are, however, many industry best practices that may help companies avoid and mitigate cyber-threats, including vulnerability scans, penetration testing, simulated attack exercises, monitoring all intruders, ring-fencing company data, information sharing, and top-down communication of cybersecurity risks and policies.  Companies should give careful consideration to what practices among these and others match their risk profiles. One important resource in developing cybersecurity policies in line with industry best practices is the voluntary Framework developed by the National Institute of Standards and Technology for critical infrastructure sectors, which was released in February 2014. Drinker Biddle thoroughly detailed the Cybersecurity Framework in a previous client alert.
  • Public Companies Must Consider Whether Cybersecurity Risks and Attacks are Material:  Although public companies are not required to disclose all cyber-threats or attacks, cybersecurity issues are subject to the same “materiality” standards that govern other SEC disclosures.  Thus, public companies must give careful consideration to the nature and severity of cyber-attacks and associated risks when assessing their disclosure requirements.  When disclosure is required, companies should avoid “boilerplate” disclosures and aim to provide a meaningful disclosure, which signals that the company has focused on its particular business to identify possible cyber-risks, without providing a “roadmap” to a company’s cybersecurity vulnerabilities that could be exploited by other bad actors.  Although the Commission has not yet provided a formal statement on disclosure, the Division of Corporation Finance’s 2011 guidance regarding public company disclosure of cybersecurity risks and cyber incidents provides valuable advice on such disclosures.

Possible Additional Guidance: Commissioners and staff did not announce that additional rulemaking or guidance will be immediately forthcoming, but did suggest that it expected to move ahead with previously proposed regulation that would require securities exchanges and clearing agencies to meet specified standards with respect to their computer and data systems.  Moreover, the Commission is reviewing how it can provide further guidance on cybersecurity, particularly in order to ensure meaningful non-boilerplate disclosures, encourage information sharing, and further develop industry best practices.

Departments of Education and Justice Release Guidance on Maintaining Nondiscriminatory Educational Communities for Transgender Students

Client Alert
John R. Przypyszny, Jonathan D. Tarnow

Title IX of the Education Amendments of 1972 (Title IX) generally prohibits sex discrimination in educational programs and activities conducted by institutions that receive federal funds.Recently, the specific nature of that prohibition as it applies to transgender students has come under scrutiny.

Miscellaneous Tariff Bill Finally Passes

Client Alert
James Sawyer, Mollie D. Sitkowski

In a rare demonstration of bipartisan politics, on May 20, 2016, President Obama signed into law the American Manufacturing Competitiveness Act of 2016 (the “Act”) which includes long-awaited amendments to the process for requesting duty reductions under a Miscellaneous Tariff Bill (MTB).

Wellness Program Compliance – It’s Time to Review Your Program Under New ADA and GINA Final Rules (and HIPAA and…)

Client Alert
Summer Conley, Karen E. Gelula, Monica A. Novak, Dawn E. Sellstrom

On May 17, 2016, the EEOC issued new rules regarding the nondiscrimination requirements applicable to certain wellness programs under the Americans with Disabilities Act of 1990 (“ADA Final Rule”) and the Genetic Information Nondiscrimination Act of 2008 (“GINA Final Rule” and, collectively, the “Final Rules”).

DOL Exemption Rules to Take Effect December 1, 2016

Client Alert

By Stephanie Dodge Gournis, Dennis M. Mulgrew, Jr. and Shavaun Adams Taylor


Stephanie Dodge Gournis, Dennis M. Mulgrew, Jr.

Making good on a 2014 directive from President Obama “to modernize and streamline” existing overtime regulations, the Department of Labor (DOL) today published its highly anticipated Final Rule Defining and Delimiting the Exemptions for Executive, Administrative, Professional, Outside Sales and Computer Employees.

Supreme Court Holds That Plaintiffs Need Concrete Harm In Order To Seek Statutory Damages

Client Alert

The Supreme Court issued its long-awaited decision in Spokeo, Inc. v. Robins, in which it was asked whether plaintiffs have Article III standing if they allege a bare violation of a statute (i.e., an injury in law) but no concrete harm (i.e., an injury in fact).