What role should the SEC play in regulating cybersecurity?
By Peter Isajiw, Law.com Contributor
This article was first published on the Law.com Network on March 28, 2014
In response to growing concerns surrounding cybersecurity — and a number of highprofile data breaches — on March 26, 2014, the Securities and Exchange Commission
(“SEC” or “Commission”) hosted a roundtable discussion on the issues and challenges
of cybersecurity. The roundtable was divided into four panels, and experts and industry
leaders were invited to comment on cybersecurity issues faced by financial markets and
public companies. The discussion made clear that cybersecurity issues pose a serious
and complicated problem from a regulatory perspective. As means to continue the
dialogue begun with the roundtable, the SEC has opened a public comment period to
solicit feedback on cybersecurity issues.
Opening Remarks: Cyber Threats Are A Greater Risk To The Economy Than
Terrorism
The session opened with brief remarks from Chair Mary Jo White. White noted that
cyberattacks “are of extraordinary and long-term seriousness” and stressed that the
public and private sectors need to be “riveted in lockstep” in addressing the complex
threats they pose. White noted the Commission last year adopted Regulation S-ID,
which requires certain regulated financial institutions and creditors to adopt and
implement identity theft programs, and that the SEC’s Division of Corporate Finance
(“CorpFin”) issued guidance in October 2011 on public company disclosures of cyber
breaches and risk. She emphasized that the issue is an important one that the SEC
“has continued to study.” Commissioner Luis Aguilar noted that financial markets are
dependent on sophisticated and interconnected technology, and that cyberattacks on
financial institutions and the infrastructure underlying capital markets are increasingly
common. As a result, Commissioner Aguilar continued, the Commission was seeking
input on balancing security needs against the business needs of public companies and
regulated entities.
The Cybersecurity Landscape
The topic of the first panel was the current cybersecurity landscape. The panel
discussed the need for a multi-stakeholder approach to cybersecurity, and the
importance of treating cybersecurity not as a technology or security issue, but as an
institutional business issue. The panel stressed the importance of businesses having a
cybersecurity response plan, and the need to have adaptable, continuous monitoring of
cybersecurity systems so that entities can most effectively target their scarce resources
to protect against ever-changing threats.
Larry Zelvin, Director of the Department of Homeland Security’s National Cybersecurity
and Communication Integration Center, spoke to the importance of sharing information
on threats between the public sector and government. Representatives of the private
sector agreed that information sharing is crucial, but indicated that they need clearer
channels of communication and guidelines as to what businesses can share with
government — and each other — without creating potential liability related to privacy
and civil liberties concerns.
Commissioner Aguilar asked those government representatives present whether the
disclosures made in SEC filings are reaching individuals responsible for cybersecurity,
and if this information is useful to them. Zelvin replied that “there is more pull than push”
when it comes to getting timely information from public companies, and that generally
by the time companies make disclosures in SEC filings, the information is no longer
timely.
Cybersecurity And Public Company Disclosures
The second panel addressed the topic of public company disclosures. Chair White and
other commissioners questioned the panel about the usefulness of CorpFin’s
cybersecurity disclosure guidelines. Douglas Meal of Ropes & Gray LLP remarked that
he cannot think of a case where a company’s disclosures were driven by securities
laws. He noted that there is a “tremendous disincentive” to disclose a data breach
because of the likelihood of resulting class action litigation and investigation by
consumer protection regulators who “often see companies as perpetrators as opposed
to victims” when a data breach occurs. Meal stated that where companies have made
disclosures, this is generally driven by state disclosure or consumer protection laws,
and where companies are not otherwise obligated to disclose a data breach, they will
almost never treat it as a material event to be disclosed under federal securities laws.
Jonas Kron, the Director of Shareholder Advocacy for Trillium Asset Management,
stated that corporate disclosures of cybersecurity risks have largely become boilerplate,
and are not useful to investors. He stated that all companies are exposed to external
threats from hacking, cybercrime, espionage, employee negligence and the like; what
investors want to know is what companies are doing internally that make those external
threats more or less risky. In particular, Kron called for companies to disclose what
private information they collect, how they use it, and how long they keep it. In his view
companies often over-collect data and thereby create a greater risk for themselves in
the event of a cyber-attack, and he feels investors want the information to be able
evaluate these risks.
Several panelists challenged the notion that the occurrence of a data breach, even if
massive, is a material event that companies ought to be required to disclose to
shareholders. Meal stated that in “80-90% of cases” the stock price movement in
response to disclosure of a data breach is modest. Peter Beshar of insurer Marsh &
McLennan agreed and pointed to the example of TJX Companies, which experienced
no stock price reaction when it announced one of the largest data breaches in history.
Professor Roberta Karmel stated that while cybersecurity is an urgent social and policy
issue, she questioned whether the SEC was the correct agency to address it. She
suggested that trying to use disclosure rules to regulate corporate behavior — like
cybersecurity — that may not be directly related to the integrity of financial markets can
dilute the usefulness of those disclosures. Karmel added that she felt the 2011 CorpFin
guidance was “good,” and perhaps it could be refined to reduce the amount of
boilerplate language in disclosures. However, she urged the SEC not to “go overboard
with regulatory requirements.” Leslie Thornton, General Counsel for WGL Holdings,
Inc., and Washington Gas Light Company, suggested that the SEC should consider
creating different disclosure requirements for companies in the critical infrastructure
arena than those involved in consumer retail given both the distinct threats faced by,
and the disparate impact that a cyberattack would inflict upon, each industry.
Cybersecurity And Market Systems Risk
The third panel addressed cybersecurity risks to market systems. Representatives of
several exchanges discussed the threats and concerns faced by those markets, and
how they are responding. The panel reiterated the importance of information sharing,
both between government and the private sector, as well as among private sector
entities. The panel praised the usefulness of the Financial Services Information Sharing
and Analysis Center (FS-ISAC), an industry-wide information exchange for threat
information, and discussed the importance of tabletop exercises and procedure testing.
Mark Graff, NASDAQ’s Chief Information Security Officer, stated that one area where
the SEC could provide additional information is in regard to the potential that a
compromised financial service firm might send a trade to the exchange that was
technically sound, but did not reflect the volition of the trader due to hacking or
infiltration. He stated that as he understands the issue, the exchange would not be
allowed to break that trade, but additional guidance would be useful.
Cybersecurity Issues Facing Broker-Dealers, Investment Advisors And Transfer
Agents
The final panel addressed the concerns of broker-dealers, investment advisors, and
transfer agents. The major topic of discussion was the possibility that the SEC might
promulgate rules pertaining to cybersecurity for brokerages and other regulated entities.
Panelists pointed out that unlike a retailer, who might regain customer trust after a data
breach, one incident of customer loss due to a network infiltration could bring down an
investment house. John Reed Stark of Stroz Friedburg asked the SEC to be judicious in
referrals for enforcement, as it is in firms’ best interest to use best practices, and where
they fail to do so, they probably need instruction more than enforcement. David
Tittsworth from the Investment Adviser Association urged the Commissioners to “please
resist the urge to impose rigid guidelines,” and instead focus on disseminating
information and best practices; likewise, Karl Schimmeck of the Securities Industry and
Financial Markets Association urged the Commission to avoid prescriptive guidelines
and instead focus on outcomes and providing flexible frameworks.” The panel pressed
the Commission to take steps to ensure that smaller firms are educated and
encouraged to adopt “highest common denominator” standards, rather than attempt to
regulate to the lowest common denominator.
The Discussion Continues
This Roundtable likely is the beginning of a strong push on the SEC’s part to become
more involved in cyber issues. As noted by Commissioner Aguilar, “there is no doubt
that the SEC must play a role in this area, what is less clear is what that role should be.”
The Commissioners seemed particularly attuned to panelists’ pleas for more robust
sharing of information on the part of the government, as well as clearer guidance on
information sharing from industry to government and among businesses. To continue
the discussion, the SEC strongly encouraged members of the public to provide
feedback and comments through the SEC’s website.