In remarks on Thursday of last week to the Tulane Corporate Law Institute, SEC Commissioner Robert Jackson discussed what he termed to be “the most pressing issue in corporate governance today: the rising cyber threat.” To support his characterization, Jackson reports that, in 2016, there were over 1,000 data breaches with an aggregate cost of over $100 billion, according to the Identity Theft Resource Center. And the issue has “rocketed to the top of the corporate agenda”: “One recent study showed that nearly two-thirds of executives identified cyber threats as a top-five risk to their company’s future. That shows how quickly this has become a board-level issue.”
But how to grapple with this problem? Jackson contends that “the cyber threat is not primarily a regulatory issue any more than it is primarily a technological issue. Cybercrime is an enterprise-level risk that will require an interdisciplinary approach, significant investments of time and talent by senior leadership and board-level attention. In short: the cyber threat is a corporate governance issue. The companies that handle it best will have relevant expertise in the boardroom and the C-suite, a strategy for engagement with investors and the public, and—most of all—sound advice from corporate counsel who can navigate uncertain times and uncertain law in a critical area for the company’s business.”
Jackson then proceeded to describe three areas that demanded attention, essentially paralleling the SEC’s new cybersecurity guidance: disclosure, insider trading and controls and procedures. (See this PubCo post and this Cooley Alert.) With regard to disclosure, Jackson approved the issuance of the SEC guidance, but with reservations, indicating that he thought more was necessary. In particular, he advocated adoption of an 8-K disclosure requirement in the event of a material cyber incident. Jackson worried that the types of judgments required under the guidance “have, too often, erred on the side of nondisclosure, leaving investors in the dark—and putting companies at risk.” In a study by Jackson and his staff, in 2017, 97% of companies that suffered data breaches did not file an 8-K, although he acknowledged that it was likely that not all of those incidents were material.
Jackson worried that empirical studies have shown that information asymmetry about cyber incidents persists. One reason is that other regulations—not related to the securities laws—often require notification to consumers. What’s more, academic studies have found “negative and significant stock-price reactions for firms that are victims of cyber attacks,” and one study found “systematic evidence of arbitrage opportunities when traders learn of cyber breaches that have not yet been disclosed.” Jackson urged that counsel encourage their boards to be transparent in this area, noting that boards face exposure to litigation in the event of incidents.
As reported in Law360, in remarks last week to a conference of the Council of Institutional Investors, SEC Chair Jay Clayton observed that, when considering specific rulemaking, such as an 8-K requirement, one issue that the SEC is “‘always concerned with on a disclosure rule is whether you’re over- or under-inclusive’….It could be challenging to apply a one-size-fits-all requirement across the full spectrum of publicly traded companies that face cyberrisk, because the details of what constitutes a significant event would vary depending on the company, he said. ‘In terms of writing a rule, if you wanted to make it a specific 8-K requirement, the issue there is whether something is material,’ said Clayton. ‘It’s really a facts and circumstances situation, and it can vary from industry to industry and company to company.’ Clayton added that there could be times when a company’s duty to quickly inform the public of a cyberattack or cooperate with law enforcement could conflict with a requirement to file a disclosure with shareholders.’” The SEC will be closely monitoring implementation of the guidance.
With regard to insider trading, Jackson viewed it as “alarming when reports of a breach are accompanied by reports of insider trading. It is deeply troubling that insiders may have been able to profit in this way, regardless whether those specific insiders knew about the breach before engaging in such trading.” His response is twofold: first, boards should ensure that senior management share critical information early and often with their colleagues so that when any member of the senior management team learns material nonpublic information about a cyber event, all members of the team avoid trading. Second, the insider trading laws should be reviewed to ensure that they address traders that take advantage of nonpublic information about a breach, even when the trader is not a corporate insider. More specifically, his concern is that financially motivated hackers will seek to profit themselves by trading before the investing public discovers what they have done.
With regard to controls and procedures related to cybersecurity, Jackson recognized that development of effective systems is a “significant challenge” for most companies. The problem he identifies here is that the “technologists,” who best understand the cyber threats, are typically in a separate silo from the lawyers and business people who would typically be involved in developing controls and procedures: “One recent survey noted that 70% of executives at the S&P 500 named their IT department as a primary owner for cyber risk management—compared to just 37% who identified the C-suite or the board. The same survey noted that, especially at large and growing companies, responsibility for these issues is often scattered throughout the organization, creating the risk that key information might not make its way to the decisionmakers who need it most.” Counsel, he urged, “are critical to helping companies build the internal reporting structure that will help boards and management better anticipate, assess, and, where necessary, disclose the next significant cyber attack.” But to address the issue, ”ambassadors” will be necessary: counsel “might even have to sit in front of a computer and open a program other than Microsoft Word.” Jackson reminded the lawyers in the audience that they had previously acted as ambassadors, but in a different context: after SOX was passed, lawyers were compelled to reach across the knowledge and culture divide to delve into the “Byzantine, complex, intimidating, and critical” discipline of accounting.
Other SEC Commissioners and staff have also stressed the need for development of controls that require the input of both IT and business personnel. In previewing the guidance in a 2017 presentation, Corp Fin Director William Hinman advocated that, because it may be hard to determine the significance of attacks initially, IT and business personnel should promptly consider the impact of the event together, with an eye toward understanding the business implications. SEC Commissioner Kara Stein expressed similar views in a recent speech at Stanford. Why, she asked, in light of the general agreement on the importance of cybersecurity, were companies “not doing more to implement robust cybersecurity frameworks and to provide meaningful disclosures regarding the risks of data loss.” One possible reason, however, could be that companies “tend to view cyberthreats as a technology problem instead of, more appropriately, a business risk.” However, when cybersecurity is viewed to be simply an “IT” problem, it is then “hoisted on the shoulders of a company’s chief information officer. Too often, this has led to a failure to integrate cybersecurity into a firm’s enterprise risk management framework. To be sure, some companies are focused on cyberthreats and recognize their potential economic threat. But companies need to do more than simply recognize the problem. They need to heed the calls of their shareholders and treat cyberthreats as a business risk.