Cybersecurity enthusiasts, take note: even a Republican member of the Securities and Exchange Commission is calling for more rules on the subject, to help financial firms and publicly traded companies better understand their disclosure and investor protection duties.
The remarks came from commissioner Elad Roisman, in a speech he delivered last week. Roisman stressed the usual Republican talking points that rules should be principles-based and predicated on materiality, but also expressly said: “I believe there is more that the commission should contemplate in terms of cyber guidance and/or rules to ensure that companies understand our expectations and investors get the benefit of increased disclosure and protections by companies.”
You don’t hear that too often from a Republican. So consider it one more sign that further guidance or rulemaking on cybersecurity is coming, since the SEC has already put such plans on the docket. We don’t know what the agency might propose for enhanced disclosures nor when any such proposal might arrive — but let’s not kid ourselves. Cybersecurity is an enormous mess right now. Of course the SEC is going to propose, well, something.
Still, Roisman hedged his comments carefully. He wants to see any new disclosure obligations clearly defined, with plenty of flexibility depending on a company’s size, industry, and operations. His four cautions:
First, we need to define any new legal obligations clearly. Second, we need to make sure that these obligations do not create inconsistencies with requirements established by our sister government agencies. Third, we should recognize that some registrants have greater resources than others, and we should not try to set the resource requirements for an entity. And finally, because issuers’ businesses vary, the cybersecurity-related risks they face also will vary, and therefore a principles-based rule would likely work best.
Now, if one were cynical, you might suspect this is Roisman offering a sneak preview of what he’ll say when he votes against whatever new rule the Democratic majority puts to a vote sometime in the future. On the other hand, he’s not wrong to note that cybersecurity risks can vary wildly. Even companies of similar size and industry might have starkly different cybersecurity issues thanks to the design of their IT systems. For example, a highly acquisitive firm might have a hodgepodge of inherited IT systems, versus a company that has grown organically and relied on fewer, stronger IT applications.
So Roisman has a point that some flexibility should be allowed here. But how much flexibility is necessary, really? If your company collects lots of personally identifiable information, then you have a risk of privacy breach and follow-on regulatory enforcement — period. It doesn’t matter whether your IT systems are a hodgepodge or a single unified platform. The risk doesn’t care. I don’t think investors would either.
Disclosure After Cybersecurity Failure
Perhaps the more interesting question is what the SEC might require for disclosure after a cybersecurity breach has happened. For example, in August the SEC fined education publisher Pearson $1 million for making misleading statements to investors about a breach the company suffered in 2018.
Pearson executives knew the severity of that breach by March 2019. Still, a mid-year report issued to investors in July 2019 only discussed data breaches as a hypothetical risk; and a subsequent statement to the media — who, by then, had discovered the actual breach in 2018 — only said the breach might have included sensitive personal data, when the company knew that such data had in fact been stolen.
The SEC also fined title insurance company First American Corp. $488,000 in June for essentially the same offense: executives knew about the severity of a breach, and were even trying to remediate the damage; but hadn’t disclosed the issue to investors.
If I had to bet on where the SEC might clarify and strengthen its guidance, this is where I’d place my money. Too often, executives aren’t making the connection between cybersecurity disruptions the company encounters (which can certainly pose a risk to operations or to share price) and the disclosure duties management has to investors. Either that, or executives do see the connection but don’t care: they rationalize some excuse for why the breach isn’t material, and therefore they don’t have to disclose.
If that’s correct, and the SEC tells executives to knock it off clarifies those disclosure duties, then compliance officers will need to assess whether internal policies and procedures to evaluate the materiality of a breach match expectations from whatever new criteria the SEC foists upon us. They’ll also need to examine alerting and escalation procedures, to be sure that IT doesn’t discover a breach and clean it up, without ever telling anyone else in the enterprise that something was amiss.
First, however, we need to see what the SEC does at all. Who knows, maybe the Democratic-led agency will even propose something Roisman the Republican will support. Crazier things have happened.