The Race For Cyber Security: An Invitation to Join With the SEC

There is no doubt that technology presents any number of new opportunities for firms and individuals and that it is transforming the market place for goods and services at an increasingly rapid rate. Computer systems, the cloud, smart phones and other devices are all evidence of this point.

At the same time this technology also holds the promise of significant damage if not properly managed. Computer hacking, stealing inside information as has been seen in some Commission cases, or taking the personal information of millions of consumers as has been done in other instances are actions which can inflict widespread, significant damage on companies, shareholders and consumers. This of course brings the question of cyber security to the forefront – a key focus for the SEC’s Enforcement Division and its new cyber unit and the subject of a recently released Commission policy.

Commissioner Robert Jackson, who favored the recently released Commission policy on disclosure but pushed unsuccessfully for a more far reaching one, delivered thoughtful comments on the subject last week titled Corporate Governance: On the Front Lines of America’s Cyber War” (March 15, 2018)(here).

The Commissioner called corporate counsel to action, requesting that he or she step-up and grapple with the question of cyber security on the technology side and the corporate policy, procedure and internal control side to ensure the firm’s response and defense to this pressing problem is robust. The Commissioner began by redefining the question from one of disclosure to effective corporate governance. Calling the question the “most pressing issue in corporate governance today” Mr. Jackson correctly noted that “Hardly a day goes by that we don’t hear about another threat, hack, attack, or major cyber event.”

While many firms are taking steps to address the question, to often the approach is from a tactical prospective which is not sufficient. The real question requires a different approach because it is not one of just systems and tactics: “[T]he cyber threat is not primarily a regulatory issue any more than it is primarily a technological issue. Cybercrime is an enterprise-level risk that will require an interdisciplinary approach . . . by senior leadership and board-level attention,” according to the Commissioner. Meeting the cyber security challenges of the future is critical for each company, the Commission and the U.S. economy.

Turning to the Commission’s recent guidance, Commissioner Jackson noted that its goal is to promote “clearer and more robust disclosure” of cybersecurity breaches (internal quotations omitted). That guidance, however, “relies heavily on the judgments of corporate counsel to make sure investors get the information they need. I worry that these judgments have, too often, erred on the side of nondisclosure, leaving investors in the dark – and putting companies at risk.” In support of this point the Commissioner cited the comments of the SEC’s Advisory Committee noting that disclosures in this area have not markedly improved since 2011 when the Commission issued its last guidance on the question (and which is the predicate for the recent release). Perhaps more telling was a survey done by the Commissioner showing that in 2017 there were 81 cybersecurity incidents at public firms (eliminating minor issues) but only two firms filed an 8-K disclosing the breach. Stated differently, over 97% of the firms did not file an 8-K disclosing the issue.

Not only does this approach put the enterprise at risk, according to the Commissioner, but the information can and does leak out. This apparently occurred in the incident involving Equifax where certain insiders sold shares even after the CEO discovered the issue but before the breach was revealed to the market. This presents a question of whether the board of directors is doing enough to ensure the security of inside information and prohibit trading. It also presents a question of whether others who are trading on the basis of the information can be held accountable: “In the midst of the war we are fighting on the cyber front, we cannot allow our securities markets to be a source of profit for hackers . . .” the Commissioner noted.

A key part of the recently released SEC guidance on cybersecurity noted that the firm’s cyber policies must be viewed as “key elements of enterprise-wide risk management.” Accordingly it is critical that firms have sufficient disclosure controls and procedures to ensure that the relevant information is reported up the corporate ladder. While this may have traditionally been left to those involved with technology, it is critical that corporate counsel become involved with these issues and the development of the proper controls. As Commissioner Jackson stated: “I am hopeful that this part of our guidance will lead companies and their counsel to ask themselves whether their existing internal controls are up to the daunting task we face . . . [we] need sophisticated corporate counsel to help us make sure that our rules have the intended effect – in the boardroom, in the marketplace, and in the race to protect our companies and our country from the hackers who would do us harm. I hope you will join me . . .”

Program: Insights Into SEC Enforcement, is roundtable discussion of the Former Directors of the SEC’s Division of Enforcement that will be held on April 3, 2018 beginning a 4:30 p.m. at Georgetown University Law School. The program will be followed by a reception. Registration is available here without charge. The program is sponsored by the SEC Historical Society, the Federal Bar Association, and the Association of SEC Alumni.