Cybersecurity failures in 2013 exposed the vulnerabilities of the financial markets, financial institutions, and public companies to cyber-incursions. In setting an agenda for 2014, the U.S. Securities and Exchange Commission (SEC) announced that it would begin scrutinizing the cybersecurity efforts of regulated entities. The SEC held a roundtable on cybersecurity at its headquarters in Washington, D.C. on March 26, 2014. Participants in the roundtable, who came from both the government and the private sector, are focused on defending the infrastructure of the financial system as well as the data and intellectual property held by public companies.
The roundtable opened with remarks from Chairwoman Mary Jo White and the other Commissioners, which were followed by four moderated panel discussions covering: the cybersecurity landscape; public company disclosure of cyber-events; cybersecurity of market systems; and cybersecurity issues facing broker-dealers, investment advisers, and transfer agents. Although the subjects covered by the panels were wide-ranging, four topics were central to the overall discussion:
- The current cyber-threat environment. Panelists discussed the rapid evolution of malware, novel or so-called “0-day exploits,” ransomwear, identify theft, and the destruction/corruption of data as among the most common threats facing organizations today. Although the magnitude of cyber-incursions was noted as a concern, panelists also focused attention on the global nature of the problem as well as the varied threats presented by different actors, including cyber-crime, hacktivism, cyber-espionage, and cyber-warfare. The financial services, energy, and healthcare sectors were cited as the primary targets for cyber-incursions. Of these sectors, the financial services industry was generally deemed the most advanced in thinking about security; however, panelists raised concerns about smaller financial institutions, particularly investment advisers, who are perceived to be particularly vulnerable due to resources constraints, including the scarcity of trained personnel to handle incident response.
- The role of the board of directors. Panelists view boards of directors as instrumental in an organization’s cybersecurity efforts, citing the importance of the board’s role in thinking about the strategic implications of a breach, as well as addressing cyber and enterprise risk management in a coordinated manner. Although panelists agreed that not all boards need cybersecurity committees, they stressed that boards must know what questions about a firm’s cybersecurity they need to ask senior managers. Panelists noted as a positive development the increase in board-level attention to cybersecurity, which at one national exchange is now on every agenda for multiple board committees.
- Public company disclosure of cyber-incursions. The Commissioners were intently focused on the state of public company disclosures of cyber-risks. In particular, the Commissioners wanted to learn more about the specific cyber-events companies are disclosing as well as the disclosure information sought by investors. The Commissioners appeared to be weighing the necessity of providing additional guidance and/or imposing minimum disclosures standards, an idea that was rebuffed by panelists.
- The role of information sharing in combating cyber-threats. Panelists agreed that in addition to sharing information between industry participants, the private sector and government need to coordinate and share information on cyber-threats. Of concern for the panelists is the absence of statutory clarity regarding what information an organization can share with governmental entities. Panelists also noted situations in which the Department of Homeland Security or the FBI provides companies with information that for national security considerations cannot be disclosed. Such circumstances, which panelists believe will occur more frequently, create tension with an organization’s disclosure obligations that panelists urged the SEC to address in future guidance.
The roundtable highlighted that the SEC is taking cybersecurity at regulated entities and public companies very seriously. Indeed, Chairwoman White attended the entirety of the roundtable, and actively questioned panelists, as did the other Commissioners. We expect the Commission will continue to focus on cybersecurity in examinations, regulatory enforcement actions, and future regulations.