What role should the SEC play in regulating cybersecurity? By Peter Isajiw, Law.com Contributor This article was first published on the Law.com Network on March 28, 2014 In response to growing concerns surrounding cybersecurity — and a number of highprofile data breaches — on March 26, 2014, the Securities and Exchange Commission (“SEC” or “Commission”) hosted a roundtable discussion on the issues and challenges of cybersecurity. The roundtable was divided into four panels, and experts and industry leaders were invited to comment on cybersecurity issues faced by financial markets and public companies. The discussion made clear that cybersecurity issues pose a serious and complicated problem from a regulatory perspective. As means to continue the dialogue begun with the roundtable, the SEC has opened a public comment period to solicit feedback on cybersecurity issues. Opening Remarks: Cyber Threats Are A Greater Risk To The Economy Than Terrorism The session opened with brief remarks from Chair Mary Jo White. White noted that cyberattacks “are of extraordinary and long-term seriousness” and stressed that the public and private sectors need to be “riveted in lockstep” in addressing the complex threats they pose. White noted the Commission last year adopted Regulation S-ID, which requires certain regulated financial institutions and creditors to adopt and implement identity theft programs, and that the SEC’s Division of Corporate Finance (“CorpFin”) issued guidance in October 2011 on public company disclosures of cyber breaches and risk. She emphasized that the issue is an important one that the SEC “has continued to study.” Commissioner Luis Aguilar noted that financial markets are dependent on sophisticated and interconnected technology, and that cyberattacks on financial institutions and the infrastructure underlying capital markets are increasingly common. As a result, Commissioner Aguilar continued, the Commission was seeking input on balancing security needs against the business needs of public companies and regulated entities. The Cybersecurity Landscape The topic of the first panel was the current cybersecurity landscape. The panel discussed the need for a multi-stakeholder approach to cybersecurity, and the importance of treating cybersecurity not as a technology or security issue, but as an institutional business issue. The panel stressed the importance of businesses having a cybersecurity response plan, and the need to have adaptable, continuous monitoring of cybersecurity systems so that entities can most effectively target their scarce resources to protect against ever-changing threats. Larry Zelvin, Director of the Department of Homeland Security’s National Cybersecurity and Communication Integration Center, spoke to the importance of sharing information on threats between the public sector and government. Representatives of the private sector agreed that information sharing is crucial, but indicated that they need clearer channels of communication and guidelines as to what businesses can share with government — and each other — without creating potential liability related to privacy and civil liberties concerns. Commissioner Aguilar asked those government representatives present whether the disclosures made in SEC filings are reaching individuals responsible for cybersecurity, and if this information is useful to them. Zelvin replied that “there is more pull than push” when it comes to getting timely information from public companies, and that generally by the time companies make disclosures in SEC filings, the information is no longer timely. Cybersecurity And Public Company Disclosures The second panel addressed the topic of public company disclosures. Chair White and other commissioners questioned the panel about the usefulness of CorpFin’s cybersecurity disclosure guidelines. Douglas Meal of Ropes & Gray LLP remarked that he cannot think of a case where a company’s disclosures were driven by securities laws. He noted that there is a “tremendous disincentive” to disclose a data breach because of the likelihood of resulting class action litigation and investigation by consumer protection regulators who “often see companies as perpetrators as opposed to victims” when a data breach occurs. Meal stated that where companies have made disclosures, this is generally driven by state disclosure or consumer protection laws, and where companies are not otherwise obligated to disclose a data breach, they will almost never treat it as a material event to be disclosed under federal securities laws. Jonas Kron, the Director of Shareholder Advocacy for Trillium Asset Management, stated that corporate disclosures of cybersecurity risks have largely become boilerplate, and are not useful to investors. He stated that all companies are exposed to external threats from hacking, cybercrime, espionage, employee negligence and the like; what investors want to know is what companies are doing internally that make those external threats more or less risky. In particular, Kron called for companies to disclose what private information they collect, how they use it, and how long they keep it. In his view companies often over-collect data and thereby create a greater risk for themselves in the event of a cyber-attack, and he feels investors want the information to be able evaluate these risks. Several panelists challenged the notion that the occurrence of a data breach, even if massive, is a material event that companies ought to be required to disclose to shareholders. Meal stated that in “80-90% of cases” the stock price movement in response to disclosure of a data breach is modest. Peter Beshar of insurer Marsh & McLennan agreed and pointed to the example of TJX Companies, which experienced no stock price reaction when it announced one of the largest data breaches in history. Professor Roberta Karmel stated that while cybersecurity is an urgent social and policy issue, she questioned whether the SEC was the correct agency to address it. She suggested that trying to use disclosure rules to regulate corporate behavior — like cybersecurity — that may not be directly related to the integrity of financial markets can dilute the usefulness of those disclosures. Karmel added that she felt the 2011 CorpFin guidance was “good,” and perhaps it could be refined to reduce the amount of boilerplate language in disclosures. However, she urged the SEC not to “go overboard with regulatory requirements.” Leslie Thornton, General Counsel for WGL Holdings, Inc., and Washington Gas Light Company, suggested that the SEC should consider creating different disclosure requirements for companies in the critical infrastructure arena than those involved in consumer retail given both the distinct threats faced by, and the disparate impact that a cyberattack would inflict upon, each industry. Cybersecurity And Market Systems Risk The third panel addressed cybersecurity risks to market systems. Representatives of several exchanges discussed the threats and concerns faced by those markets, and how they are responding. The panel reiterated the importance of information sharing, both between government and the private sector, as well as among private sector entities. The panel praised the usefulness of the Financial Services Information Sharing and Analysis Center (FS-ISAC), an industry-wide information exchange for threat information, and discussed the importance of tabletop exercises and procedure testing. Mark Graff, NASDAQ’s Chief Information Security Officer, stated that one area where the SEC could provide additional information is in regard to the potential that a compromised financial service firm might send a trade to the exchange that was technically sound, but did not reflect the volition of the trader due to hacking or infiltration. He stated that as he understands the issue, the exchange would not be allowed to break that trade, but additional guidance would be useful. Cybersecurity Issues Facing Broker-Dealers, Investment Advisors And Transfer Agents The final panel addressed the concerns of broker-dealers, investment advisors, and transfer agents. The major topic of discussion was the possibility that the SEC might promulgate rules pertaining to cybersecurity for brokerages and other regulated entities. Panelists pointed out that unlike a retailer, who might regain customer trust after a data breach, one incident of customer loss due to a network infiltration could bring down an investment house. John Reed Stark of Stroz Friedburg asked the SEC to be judicious in referrals for enforcement, as it is in firms’ best interest to use best practices, and where they fail to do so, they probably need instruction more than enforcement. David Tittsworth from the Investment Adviser Association urged the Commissioners to “please resist the urge to impose rigid guidelines,” and instead focus on disseminating information and best practices; likewise, Karl Schimmeck of the Securities Industry and Financial Markets Association urged the Commission to avoid prescriptive guidelines and instead focus on outcomes and providing flexible frameworks.” The panel pressed the Commission to take steps to ensure that smaller firms are educated and encouraged to adopt “highest common denominator” standards, rather than attempt to regulate to the lowest common denominator. The Discussion Continues This Roundtable likely is the beginning of a strong push on the SEC’s part to become more involved in cyber issues. As noted by Commissioner Aguilar, “there is no doubt that the SEC must play a role in this area, what is less clear is what that role should be.” The Commissioners seemed particularly attuned to panelists’ pleas for more robust sharing of information on the part of the government, as well as clearer guidance on information sharing from industry to government and among businesses. To continue the discussion, the SEC strongly encouraged members of the public to provide feedback and comments through the SEC’s website.