On Friday, SEC Commissioner Elad Roisman addressed some of the challenges related to cybersecurity and cyber breaches and related events in a speech to the LA County Bar Association. In his presentation, Roisman looks at cybersecurity in a variety of contexts, such as exchanges, investment advisors, and broker-dealers, but his discussion of cybersecurity in the public corporation context is of greatest interest here. Although the SEC has some principle-based requirements and guidelines on cybersecurity disclosure, Roisman believes the SEC should consider more guidelines and even rules “to make sure companies understand them”. [the SECâs] Expectations and investors benefit from the increased disclosure and protection of the company. “
Cyber ââthreats cover a wide area, explains Roisman: They can include âsimple break-ins into accounts trying to steal assets from an investor’s or customer’s accounts; Ransomware attacks that attempt to disable business operations to extract payments; and even acts of “hacktivism” disrupting services to take a political stand. Cyber ââevents are often difficult to detect, difficult to measure quickly, and can involve reporting requirements to multiple government agencies and stakeholders. ”
While listed companies have general disclosure requirements under securities laws, they may also be responsible for âtaking steps to prevent and mitigate the harm caused by these threatsâ. Roisman notes that “it has become increasingly important for market participants to work with legal advisors and other experts to prepare for potential cyberattacks before they happen, where information needs to be reported outside the company and to whom.”
Regarding the Disclosure Guidelines, while there is currently no explicit disclosure mandate regarding cybersecurity risks and incidents, Roisman notes, the SEC issued guidelines in 2018 that make it clear that companies may be required to disclose these risks and incidents under Reg SK and Reg. SX that require disclosure regarding risk factors, business and operations, MD&A and other matters. A “necessary requirement” for timely and appropriate disclosure, according to Roisman, is the establishment and implementation of effective disclosure controls and procedures, which in turn rely on “dedicated and informed officers, directors and others”.
Cybersecurity, Roisman notes, can also imply internal control over financial reporting, referring to the SEC’s 2018 21 (a) report on nine companies that were victims of cyber fraud for their employees transferring funds to counterfeit ” Paying bills âto fraudulent electronic communications.
And Roisman notes that enforcement “also resulted in two notable settled actions this summer involving public company disclosures about cybersecurity incidents.” Here Roisman referred to the recent cases against First American Financial Corporation and Pearson plc.
Finally, Roisman highlights the appearance of potential cybersecurity regulations on the SEC’s most recent regulatory agenda. (See this PubCo post.) Although he denies having seen a draft proposal, he has a few ideas of his own that he hopes to see in the awaited proposal, including these points:
âFirst of all, we need to clearly define all new legal obligations. Second, we need to ensure that these commitments do not conflict with the requirements set by our sister authorities. Third, we should recognize that some registrants have greater resources than others, and we should not try to set the resource requirements for an institution. Finally, because issuers’ businesses are different, the cybersecurity risks they face will also be different, and so a principles-based rule would likely work best. “
In particular, Roisman stresses the importance of working with other regulators, law enforcement agencies, and the national security community to ensure that the SEC’s proposal does not conflict with their mandates, such as: He also warned that all disclosure requirements relate to the identification of material Information and tailored to avoid disclosing a “roadmap for infiltrating a registrant’s systems”.
In conclusion, Roisman offers a few ideas for businesses to consider right now. For example, companies want to identify experts in advance who they can call in the event of a cyber incident. In his view, this kind of effort would show “prudence and diligence”. Another proactive way to mitigate potential harm would be to do table exercises. While these activities do not necessarily cover all circumstances, “they provide a level of process and proactive steps a company can take to identify this potential risk”.