In remarks yesterday before the Northwestern Pritzker School of Law’s Annual Securities Regulation Institute, SEC Chair Gary Gensler addressed cybersecurity under the securities laws. Gensler suggests that the economic cost of cyberattacks could possibly be in the trillions of dollars, taking many forms, including denials-of-service, malware and ransomware. It’s also a national security issue. He reminds us that “cybersecurity is a team sport,” and that the private sector is often on the front lines. Given the frequency of cybersecurity incidents, the SEC is “working to improve the overall cybersecurity posture and resiliency of the financial sector.” To Gensler, the SEC’s cybersecurity policy has three components: “cyber hygiene and preparedness; cyber incident reporting to the government; and in certain circumstances, disclosure to the public.” In his remarks, Gensler considered cybersecurity in a variety of contexts, including SEC registrants in the financial sector, such as broker-dealers, investment companies, registered investment advisers and other market intermediaries; service providers and the SEC itself, but his discussion of cybersecurity in the context of public companies is of most interest here.
With regard to public companies, Gensler viewed the basic bargain as this: “Investors get to decide what risks they wish to take. Companies that are raising money from the public have an obligation to share information with investors on a regular basis.” But the nature and extent of disclosure is not static; it evolves over time, and “cybersecurity is an emerging risk with which public issuers increasingly must contend.” Accordingly, Gensler has asked the staff to make recommendations involving “companies’ cybersecurity practices and cyber risk disclosures. This may include their practices with respect to cybersecurity governance, strategy, and risk management.” Although many companies already provide cyber risk disclosure, Gensler believes that both companies and investors would benefit from information that is presented in a “consistent, comparable, and decision-useful manner.” Those recommendations would also address whether and how to update companies’ disclosures to investors when cyber events have occurred. To be sure, he noted, companies are already obligated to make disclosure about events, such as customer data theft and ransomware, that may be material to investors. This point has been reinforced by recent Enforcement actions.
[Below based on my notes, so standard caveats apply.]
In the high-powered panel that followed Gensler’s speech, consisting of former SEC Chair Mary Jo White, former SEC Commissioners Robert Jackson and Troy Paredes, former Director of Enforcement Stephanie Avakian and former Director of Corp Fin Bill Hinman, Avakian noted that the SEC has recently brought cases (described above) concerning cybersecurity issues: First American Financial, which she characterized as a “message case,” related to inadequate disclosure controls, while Pearson was a more standard misstatement case involving a hypothetical risk factor. The panel also noted the SEC’s 2018 guidance on cybersecurity, as well as its investigative report under Section 21(a) regarding cyber threats and internal accounting controls.
White commented that prescribing mandatory rules for disclosure could be a “heavy lift,” and Hinman agreed that developing prescriptive disclosures in this context would be challenging. He also noted that cybersecurity disclosure was on the SEC’s most recent short-term reg-flex agenda. (See this PubCo post.) Hinman said that he had heard the idea floated of making a cybersecurity incident an 8-K reporting requirement, as well as discussion of disclosure of insider trading controls and board expertise and oversight around cybersecurity. Paredes observed that disclosure requirements can certainly have an impact on conduct.
A subsequent panel of general counsels noted that cybersecurity can require an enterprise-wide approach. One of the GCs stressed the importance, should a cybersecurity incident occur, of making sure that the team is not dealing with speculation but is addressing the facts of the situation—the facts often turn out to be quite different from the initial speculation. The panel also discussed the need for tabletop exercises. Several panelists also noted that setting company priorities in advance can be especially useful in the urgency of a cybersecurity incident.