New Securities and Exchange Commission rules planned for how public companies report on cybersecurity signal regulatory pressure on risk oversight following a spate of high-profile, high-cost hacks.
The SEC is considering a proposal as it reportedly investigates how companies responded to last year’s SolarWinds Corp. hack, including whether they made proper disclosures to investors.
SolarWinds also faces its own investigations from the SEC, the Justice Department, and other government authorities.
In another post-leak, regulatory action, the commission recently settled cyber-reporting-related charges against real estate settlement services company
“Clearly the SEC is elevating their focus on cyber-risk governance and placing expectations on companies to be transparent,” said Chris Hetner, former senior cybersecurity adviser to two of the commission’s chairs. Hetner worked on the SEC’s most recent guidance to public companies on cyber reporting, which came out in 2018.
Companies have seen more intense scrutiny of their cyber posture lately, with questioning from Congress on the fallout from hacks and pressure from the White House to step up security. Requiring more robust cyber-risk disclosures, as the SEC signaled in its recently released regulatory agenda, could force executives and boards of directors to rethink how they oversee such risks.
There’s a “disconnect” between corporate management and the board when it comes to articulating and addressing the impact of cyber threats, Hetner said. He currently works with boards as a cyber adviser to the National Association of Corporate Directors.
“Most boards don’t understand the technical and operational details behind cybersecurity,” he said. Meanwhile, “management continues to report on cyber using tech jargon, which makes it a challenge for the board to exercise its oversight responsibilities.”
The SEC’s 2018 guidance told companies to disclose cyber risks and incidents that are considered relevant to their financial condition and to investors’ decision-making.
Such reporting should cover potential impacts on a company’s operations and reputation from a cyber incident, as well as any resulting regulatory investigations or lawsuits, according to the guidance. The 2018 guidance, which updated an earlier 2011 document, also told companies to explain the board’s role in overseeing cyber risks.
While the commission’s rulemaking agenda doesn’t offer details on what new cyber-risk reporting rules might look like, corporate governance professionals say they’re likely to expand on the earlier guidance and give public companies more specific directives for disclosures.
Large companies are addressing how boards of directors oversee cybersecurity, according to an analysis of Fortune 100 company filings by consultant EY. Most companies studied note cyber among board committee responsibilities, and some cite it as an area of director expertise. Still, few companies reported that they performed cyber-incident simulations or tabletop exercises, the analysis showed.
Some corporate governance advisers say the current SEC guidance doesn’t go far enough toward making companies focus on future cyber threats—not just cyber incidents that have already occurred.
“Reporting incidents is easy, after the fact,” said Bob Zukis, founder and chief executive of the Digital Directors Network, a group that’s building a pool of technology executives to sit on corporate boards. Zukis also teaches at the University of Southern California’s Marshall School of Business. “Risks are not being described to a meaningful level,” he said.
New cyber-reporting rules would raise the issue above the current level and refine requirements for companies, said Michelle Lowry, a finance professor who directs a governance institute at Drexel University.
“One advantage of the SEC going forward with a rule is that it gives companies clearer guidance on what to expect,” Lowry said.
A cyber-disclosure rulemaking could also foreshadow stricter enforcement by the commission. Cyber-related enforcement actions, so far, have been “very limited,” said Andreas Kaltsounis, a partner at Baker & Hostetler LLP who used to work in a cyber field office for the Defense Department’s internal watchdog.
The most notable enforcement example is the SEC’s $35 million fine against
The Yahoo example goes “pretty far over the line” of what’s considered acceptable for timely cyber disclosures, Kaltsounis said. “It doesn’t give me a lot to work with for advising clients on how to avoid crossing the line,” he said.
Regulatory enforcement for cyber disclosures could also include scrutiny of stock trades by corporate executives and directors, Hetner, the former SEC cyber adviser, said. The SEC, in its earlier guidance, warned companies to be “mindful” of how insider trading laws apply to cybersecurity and suggested that companies restrict insider trades while investigating cyber incidents.
The commission’s probe into victims of the SolarWinds hack is said to be looking at whether there was suspicious trading related to the attack, Bloomberg News has reported. The commission previously charged former
“Enforcement activity is case by case,” said Melissa Krasnow, a partner at VLP Law Group who focuses on data privacy and security. “To make it a rule makes it much more explicit.”
If the SEC moves forward with a cyber-governance proposal, it’s aiming for an October issuance, according to its regulatory agenda.