On March 26, 2014, the Securities and Exchange Commission (the “SEC”) convened a roundtable with experts from a wide range of government agencies, SROs and other market participants and private sector companies. Divided into four panels, participants covered general cybersecurity landscape issues, disclosure issues faced by public companies, cybersecurity matters affecting the exchanges and other key market systems and, finally, the range of cybersecurity issues facing broker-dealers, investment advisers and transfer agents, particularly those involving identity theft and data protection. Chairwomen Mary Jo White stated in her opening remarks that cyber threats are of extraordinary and long-term seriousness and pose non-discriminating risks throughout the U.S. economy. Additionally, she noted recent testimony of FBI Director Jim Comey that resources devoted to cyber-based threats are quickly outpacing resources devoted to terrorism.
Announcement by the SEC of the roundtable came quickly on the heels of the February 12, 2014 release by the White House of the final version of the Framework for Improving Critical Infrastructure Cybersecurity (the "Framework") developed by the National Institute of Standards and Technology (NIST) pursuant to the President's Executive Order 13636. When efforts by the White House to secure a legislative solution failed to gain critical traction, the White House proceeded to address the issue of cybersecurity through the President's executive powers.
The NIST Framework is a voluntary set of standards and best practices to help organizations manage cybersecurity risks. The SEC is one of many federal agencies convening meetings, proposing regulatory guidance or rulemaking and generally focusing on cybersecurity risk assessments and prophylactic measures. Given the voluntary nature of the NIST Framework, it looks to be an "all hands on deck" effort by the current Administration. Agencies are leading the way to spread the word among the multiple actors in the 16 critical infrastructure sectors of U.S. industry to raise awareness and encourage entities to take up the mantle of identifying and protecting information and systems from Corporate Finance and Securities Client Service Group cyber attacks, finding appropriate and efficient means by which to share critical cyber intrusion information and building system and entity resilience to cyber attacks.
The SEC Roundtable: Key Issues for Our Non-Bank Public Company Clients
While it could be argued that all of the issues covered by all of the SEC roundtable experts are relevant and important for U.S. public companies -- particularly as we stand in the wake of stunning data breaches affecting millions of Target customers -- we have identified three key issues from the roundtable for immediate consideration by our public company clients:
- Cybersecurity risk management: Role of the Board of Directors and Fiduciary Duties
- Cybersecurity disclosure issues
- Interaction with the regulators
Risk Management: Role of the Board. One clear message from the various panelists, and a tenet of the NIST Framework is that cybersecurity is no longer just an IT issue, but a key business issue which should be considered and addressed as part of every organization's risk management process. Panelists discussed the importance of board of director involvement in an entity's cybersecurity issues. Cybersecurity needs to be part of the overall risk management of every public company and those issues need to rise to the very top of the organization. There is no one-size-fits-all in this area. A company's industry, core competency, operations and level of technological dependence all factor into the analysis and a determination of tolerable risks, security measures and responsiveness. The NIST Framework provides a risk-based approach to managing these risks in a manner that is particular to each entity's industry.
One panelist noted that not many public company boards have members who are expert in this area. As a result, board members must know what questions to ask of management and each other. For example:
"What are my particular company's cyber threats?"
"How do we determine what we really need to protect?"
"How do we manage access?"
"How do I know what data is leaving my company and how can we monitor how that data is
being used and protected in the hands of third parties?"
"Do we have a meaningful cybersecurity response plan and are we practicing/rehearsing implementation of that response plan?"
Cybersecurity Disclosure Issues. There has been no new guidance from the SEC on disclosure issues relating to cybersecurity since the Division of Corporation Finance guidance of October 2011. A link to that guidance can be found here. In his opening remarks to the roundtable, Commissioner Luis A. Aguilar indicated that he was interested to hear whether the 2011 guidance was working, and how it might be improved. The panel focusing on this aspect of cybersecurity disagreed on whether the guidance was effective, with one panelist advocating for registrants to provide greater disclosure to distinguish themselves from their industry peers in their level of cybersecurity and risk applicable to them, and other panelists indicating that more specific disclosure in response to the guidance is not appropriate due to the potential risk of providing a roadmap to cyber intruders.
Public companies who have not yet incorporated this guidance into their disclosure controls and procedures should consider these areas for potential disclosures as set out in the guidance:
Risk Factor Disclosure - If the risk of cyber incidents is among the most significant factors that make an investment in an registrant’s securities speculative or risky, then the registrant should include a risk factor adequately describing the risk. The determination of the materiality of this risk may be based upon the registrant’s evaluation of prior cyber incidents, the severity and frequency of such incidents, as well as the adequacy of preventative actions taken by the registrant to reduce cybersecurity risks in the context of the industry in which the registrant operates and risks to such security. Registrants are advised not to disclose risk factors that could apply to any registrant, but instead to adequately describe the nature of the material risks and specify how each risk affects the registrant.
MD&A Disclosure - A registrant is advised to address cybersecurity risks and cyber incidents in Management’s Discussion and Analysis of Financial Condition and Results of Operation “if the costs or other consequences associated with one or more known incidents or the risk of potential incidents represents a material event, trend or uncertainty that is reasonably likely to have a material effect on the registrant’s results of operations, liquidity or financial condition or would cause reported financial information not to be necessarily indicative of future operating results or financial condition.”
Description of Business - If an individual or multiple cyber incidents has materially affected a registrant’s products, services relationships with customers or suppliers, or competitive conditions, then the registrant is advised to disclose such fact in its “Description of the Business” disclosure. Registrants are advised to consider the impact of a cyber incident for each segment in determining whether to include disclosure regarding the effect of cyber incident(s).
Legal Proceedings Disclosure - Any material legal proceeding that the registrant or any of its subsidiaries is a party to that involves a cyber incident may need to be disclosed in its “Legal Proceedings” disclosure.
Financial Statement Disclosure - The impact of cybersecurity and cyber incidents on a registrant’s financial statements should be properly disclosed in accordance with the appropriate accounting standards. The Cyber Guidance states that such disclosure may include (i) the capitalization of cybersecurity costs, (ii) customer incentives intended to retain customers during and after an attack, (iii) losses from asserted and unasserted claims resulting from a cyber incident, (iv) impairment of assets as a result of diminished future cash flow that may result from a cyber incident, and (v) subsequent event disclosure if a cyber incident were to occur after the applicable balance sheet date.
Disclosure Controls and Procedures - If a cyber incident poses a risk to a registrant’s ability to record, process, summarize and report information that is required to be disclosed in SEC filings, then consideration should be given as to whether there are any deficiencies in the registrant’s disclosure controls and procedures that may make them ineffective.
SEC staff members moderating the panels at the roundtable reiterated that the SEC is aware of concerns that detailed issuer disclosure could compromise a registrant’s cybersecurity (e.g. that such disclosure may provide a road map to potential cyber intruders to infiltrate the registrant’s network security). In contrast, the staff also cautioned issuers to be mindful of avoiding boilerplate disclosure regarding cybersecurity and cyber incidents in their filings. Keith Higgins, the Director of the Division of Corporation Finance, tacitly acknowledged during the roundtable that a significant amount of the cybersecurity and cyber incident disclosure presently provided in registrant filings is boilerplate. Notwithstanding this contrast, the SEC has issued comment letters to issuers since the issuance of the 2011 guidance requesting, among other things, that registrants without cybersecurity risk factors disclose information regarding the risk of cyber incidents and the sufficiency of preventative actions taken by the registrant, disclosure of past cyber incidents and the scope and magnitude of any cyber incidents.
Interaction with Regulators. Finally, a recurring theme throughout each and every panel was the need for more and better information about cyber threats. Effective protection of the nation's critical infrastructure requires widespread cooperation and a meaningful flow of information: from the public sector to the private sector, private to public, public to public and private to private. Each of those exchanges of information face hurdles and critical legal issues. What is clear from the panels is that this issue is one that voluntary compliance with the NIST Framework is not going to address. Certain government agency panelists, including those from the Department of Homeland Security, were emphatic that the issues preventing the sharing of information needed to be addressed in a meaningful way to ensure greater security. It remains to be seen how the SEC may further encourage appropriate public disclosure and promote public company risk assessments that appropriately feature and address cybersecurity. What seems clear is that this issue permeates multiple regulatory paradigms and public companies need to prepare to address these issues.
In his remarks, Commissioner Aguilar noted that cyber-attacks aimed at public companies and other market participants can have devastating effects on the U.S. economy, individual consumers, and the markets and investors that the SEC was created to protect. He stated that the SEC must play a role in protecting these parties, but that it was unclear what the role should be. One action he suggested was the establishment of a cybersecurity task force among all divisions of the SEC in order to better advise the SEC in respect of these issues.
The SEC has encouraged persons to express their views on all of the cybersecurity issues addressed at the roundtable by submitting comments on such matters on the SEC’s web site.