The U.S. Securities and Exchange Commission (“SEC”) held a Cybersecurity Roundtable discussion in Washington, DC Wednesday, March 26, 2014, at which representatives from the government and private sector, including publicly held corporations, market exchanges, investment advisors, and the insurance industry, discussed cybersecurity risks and the role the government, and specifically the SEC, could play in mitigating those risks. Risks discussed included those arising from insiders misusing, stealing or improperly disclosing data, as well as the increasing prevalence and sophistication of attacks from nation states, hacktivists, and criminal enterprises. The panelists stressed that these risks cannot be eliminated but must be managed – and doing so is primarily a business, not technology, issue.
Panelists from across the spectrum praised the Cybersecurity Framework issued in February by The National Institute of Standards and Technology (“NIST”), highlighting its flexible and standards-based approach. Some panelists also stressed the importance of information sharing between stakeholders, and suggested that the SEC or Congress could help further information sharing through regulations or laws that clearly authorize financial institutions to share specified information with government agencies for combating cyber-threats.
Panelists were divided, however, on the proper role of the SEC with regard to disclosures of cyber risk and data breaches, with reference to the SEC’s 2011 guidance. Most panelists agreed that asking companies to disclose non-material risks is different from the approach generally taken for other types of risks and provides little to no benefit to shareholders. Some panelists suggested that cyber risk disclosures should be used to explain how a particular company’s risk profile is distinct from others in its industry. However, other panelists suggested than anything more than the sort of boilerplate cyber risk disclosures that companies currently provide would risk providing too much information to competitors and bad actors, without providing useful information to shareholders.
Other topics of discussion included the role of boards of directors with regard to cyber risk and the problems with disclosing data breaches too early. With regard to the latter, panelists suggested that companies’ decisions as to data breach disclosures currently tend to be driven more by breach notification requirements pursuant to state and federal law than by SEC requirements for disclosures to investors. Some panelists praised the SEC’s proposed Regulation SCI, to the extent it promotes the use of standards and well-established guidelines. All panelists noted, however, that the threats change so dynamically that prescriptive rules would likely do more harm than good. As a method for identifying problem areas and improving defenses, all panelists commended a recent cyber-attack simulation and suggested additional simulations in the future that involve senior management.
The SEC did not elaborate on a timeline for adopting final rules for Regulation SCI, but encouraged interested parties to file comments on Cybersecurity under File No. 4-673.