“SEC Holds Roundtable on Cybersecurity”
The Investments and Exchange Commission lately held a roundtable around the issues and challenges cybersecurity presents for market participants and public companies. The roundtable is really a strategies by that the SEC Commissioners can hear a number of viewpoints and be better informed. Equipped with this understanding, the Commissioners will consider if the SEC must take additional steps, when it comes to regulation or any other guidance, with the idea to public companies generally in order to organizations controlled through the SEC, for example trades, investment advisors, broker-dealers and transfer agents. There’s no timetable for more SEC action.
Although panelists’ sights might have varied on particular matters, there is universal agreement that cybersecurity risks are varied, constantly evolving, all pervading and offer critical issues for government departments, public companies and market participants.
Numerous styles of particular relevance to public companies were talked about by panelists, including:
- cybersecurity is not “just an IT issue” but an enterprise-wide operational risk;
- planning for cybersecurity threats is never “done,” and there are no solutions that make the issue go away;
- companies should develop plans for how to address cyber incidents, including mitigation and business resiliency/recovery, internal communications and external communications to consumers, regulators and law enforcement and/or intelligence agencies;
- companies should develop a culture of cybersecurity where employees at all levels and across functions take responsibility for considering vulnerabilities and mitigating cyber threats;
- like other enterprise risks, cybersecurity is an area requiring oversight by a board of directors or a board committee. Cybersecurity expertise is not a criteria for board membership, but directors should ask questions and satisfy themselves that management has developed systems to monitor, address, remediate and recover from cybersecurity incidents;
- cybersecurity threat assessments should be risk-based and solutions have to consider other operational imperatives; and
- planned responses to cyber threats should be drilled or “war-gamed” and cannot simply sit on the shelf to be pulled out when the need arises.
An especially difficult question for that SEC as well as for public companies pertains to company disclosures regarding cybersecurity risks and occurrences. The SEC’s Division of Corporation Finance printed guidance in October 2011, because of which risk factor disclosure is becoming the norm. A trader representative on a single panel observed the disclosure is becoming boilerplate which more disclosure could be helpful to traders. Other panelists observed that company disclosure of cyber occurrences is usually driven by consumer protection laws and regulations as opposed to a view that the details are material to traders. Many panelists cautioned against disclosure needs that will increase company vulnerabilities to cyber-attacks, along with a former SEC Commissioner around the panel observed more company disclosure might not be within the public’s interest. As the SEC, among other questions, will probably give further shown to the issue of whether public companies ought to be needed to supply additional cybersecurity disclosures, there is a obvious message from nearly all panelists to tread gently.
It’s also obvious that cybersecurity will still be a subject of great interest towards the SEC along with other government departments, market participants, and public companies as well as their boards of company directors.