February 20, 2019
The warning signs are clear – the Securities and Exchange Commission (SEC) is focusing more intently and punitively on how public companies recognize and manage enterprise cybersecurity risk and how they disclose material risks to shareholders.
On February 21, 2018, through its Securities Act Release No. 10,459; Exchange Act Release No. 82,746, Commission Statement and Guidance on Public Company Cybersecurity Disclosures, the SEC substantially added to the growing chorus of cybersecurity regulation by interpreting existing disclosure guidance for cybersecurity risk and associated internal controls at public companies. The guidance signals the Commission’s view that cybersecurity risk and incidents are material factors in investor decisions. The effect of the guidance elevates the importance of the disclosure of cybersecurity risk, obligates management and boards to accurately and timely describe the controls they have in place to determine and manage that risk, and clarifies insider trading relative to knowledge of a data breach.
In its recently issued Report of Investigation pursuant to Section 21(a) of the Securities Exchange Act the SEC advised public companies to develop and implement internal controls that include an approach to cyber threats. The report, from an investigation of public companies that improperly lost nearly $100 million to phishers through cyber fraud related to compromises to their business email systems, found that the companies had inadequate policies, procedures, and controls for wire transfers and inadequate training that led to the losses.
Enforcement actions often follow Section 21(a) reports from the SEC. Separately, the $1 million settlement that the SEC reached with broker-dealer and investment adviser Voya Financial Advisers Inc. demonstrates that the Commission is becoming increasingly willing to use its enforcement tools to improve cybersecurity posture and punish lax controls. Having suffered a breach of its own EDGAR system and observing the 2016 SWIFT hacks, other SEC enforcement actions have been taken with critical financial market utilities around the resilience of Regulation SCI systems.
With its attention on internal controls and financial risk associated with cybersecurity, the SEC is ensuring that companies’ focus on risk identification and reporting is intensified. The essence of all of these indicators is that the SEC will continue to put an emphasis on public companies elevating cybersecurity risk to more of a board level imperative focused and funded around sound, effective governance, risk, and compliance practices. Underneath it all is the obligation of management and the board to handle cybersecurity as an enterprise risk, improve the board’s cybersecurity knowledge quotient, and more quickly groom chief security officers (CSO) and chief information security officers (CISO) who can transition their technical perspective to the business operations and enterprise risk management frame of reference and parlance of the board.
It is not just about smaller companies that underspend on cybersecurity. Large, sophisticated companies run afoul of this gulf between security officer, senior management, and the board. On November 15, 2018, The New York Times published a long piece that illuminated the internal conflicts among security, management, and the board of Facebook when a report by its CSO to the board was characterized by the COO as ‘throwing management under the bus’ with both the board and congressional panels investigating Facebook’s role in privacy issues around recent social media scandals. The penalty Yahoo paid for not disclosing a significant 2014 data breach during its sale to Verizon in 2016 was a $350 million haircut to the price of the deal, leading to a derivative shareholder lawsuit recently settled for $50 million and a fine of $35 million by the SEC. These examples show that regulatory sentiments, third-party legal consequences and reputational damage can be suffered from cybersecurity and privacy snafus that should have been better foreseen and managed.
When a majority of many companies’ assets are digital, cybersecurity compromises are here to stay, virtually inevitable, and are becoming far more destructive and disruptive. Consequences are becoming increasingly severe as regulators focus more intently on these risks. Better risk assessment, prevention, and detection, more effective response and recovery, and more timely and complete disclosures and stakeholder communications must become the province of risk-engaged senior management and boards. As stewards of company assets, it is too late to wait for an SEC investigation and consent decree to create the motivation.
The article ‘Don’t Wait on the SEC to Shore up Security’ was written by Scott Corzine, Ankura Consulting Group, LLC and Richard Borden, White and Williams, LLP.