By Mark H. Sosnowsky and Gregory A. Mason
On Wednesday, March 26, 2014, the Securities and Exchange Commission conducted a roundtable discussion on cybersecurity and the issues and challenges cyber-threats present for public companies, exchanges, and market participants. The roundtable consisted of four separate panel discussions and included participants from the SEC, Department of the Treasury, the National Security Council, the Department of Commerce, and the Department of Homeland Security, as well as data security experts and representatives of public market participants and broker-dealers.
Cybersecurity is a critical issue for businesses and markets, and the SEC’s recognition of this is reflected by the scheduling of the roundtable itself, the participation of all the Commissioners and senior staff, as well as much of the SEC’s comments during the day. The SEC Commissioners and staff who participated emphasized that cybersecurity is a high priority for the Commission and is integral to maintaining the integrity of markets, protecting consumer and investor data, and preventing identity theft.
A central theme throughout the roundtable was whether the SEC is providing adequate guidance for public companies. The SEC expressed its disapproval of boilerplate cyber-risk disclosures, but there was also discussion of the risk that overly detailed disclosures could provide a roadmap that may unintentionally increase the risk of data breaches. This is an area where judgment and balance are essential, and the SEC is currently analyzing whether it needs to provide further guidance on where that balance should be found. Although the Commission did not issue any new formal guidance during the roundtable, there were several takeaways from the discussion:
Dynamic and Continuing Risks: Cybersecurity is not a peripheral technology issue, but a key business issue that needs to be understood by leadership and employees alike, particularly in industries that collect vast amounts of sensitive customer data, such as retailers or financial services companies. Cybersecurity threats are variable and dynamic and may emerge from a variety of sources, including political “hacktivists,” criminals and thieves out for financial gain, terrorists, and even foreign nation-states. Accordingly, cyber-threats should not be considered a problem to overcome, but a continuing risk that must be managed.
No Checklist for Proper Cybersecurity Compliance: There is no “one size fits all” approach to cybersecurity and there is no “compliance checklist.” There are, however, many industry best practices that may help companies avoid and mitigate cyber-threats, including vulnerability scans, penetration testing, simulated attack exercises, monitoring all intruders, ring-fencing company data, information sharing, and top-down communication of cybersecurity risks and policies. Companies should give careful consideration to what practices among these and others match their risk profiles. One important resource in developing cybersecurity policies in line with industry best practices is the voluntary Framework developed by the National Institute of Standards and Technology for critical infrastructure sectors, which was released in February 2014. Drinker Biddle thoroughly detailed the Cybersecurity Framework in a previous client alert.
Public Companies Must Consider Whether Cybersecurity Risks and Attacks are Material: Although public companies are not required to disclose all cyber-threats or attacks, cybersecurity issues are subject to the same “materiality” standards that govern other SEC disclosures. Thus, public companies must give careful consideration to the nature and severity of cyber-attacks and associated risks when assessing their disclosure requirements. When disclosure is required, companies should avoid “boilerplate” disclosures and aim to provide a meaningful disclosure, which signals that the company has focused on its particular business to identify possible cyber-risks, without providing a “roadmap” to a company’s cybersecurity vulnerabilities that could be exploited by other bad actors. Although the Commission has not yet provided a formal statement on disclosure, the Division of Corporation Finance’s 2011 guidance regarding public company disclosure of cybersecurity risks and cyber incidents provides valuable advice on such disclosures.
Possible Additional Guidance: Commissioners and staff did not announce that additional rulemaking or guidance will be immediately forthcoming, but did suggest that it expected to move ahead with previously proposed regulation that would require securities exchanges and clearing agencies to meet specified standards with respect to their computer and data systems. Moreover, the Commission is reviewing how it can provide further guidance on cybersecurity, particularly in order to ensure meaningful non-boilerplate disclosures, encourage information sharing, and further develop industry best practices.