During an address to the LA County Bar Association on Friday, SEC Commissioner Elad Roisman addressed some of the challenges associated with cybersecurity and cyber breaches and similar events. In his presentation, Roisman considers cybersecurity in a variety of contexts, such as exchanges, investment advisers, and brokers, but his discussion of cybersecurity in the context of state-owned enterprises is of the utmost interest here. While the SEC has imposed some principle-based requirements and issued guidelines on cybersecurity disclosure, Roisman believes there are more guidelines and even regulations that the SEC should consider “to ensure that companies understand [the SECâs] expectations and investors benefit from increased disclosure and protection by companies.
Cyber ââthreats cover a wide area, explains Roisman: they can involve âsimple account intrusions that seek to steal assets from an investor’s or client’s accounts; ransomware attacks that seek to disable business operations in order to extract payments; and even acts of “hacktivism” that disrupt services to assert a political point of view. Cyber ââevents can often be difficult to detect, difficult to measure quickly, and may involve reporting obligations to multiple government agencies and stakeholders. ”
While public companies have general disclosure obligations under securities laws, they may also have a responsibility to “take steps to prevent and mitigate the damage caused by these threats.” Roisman observes that “it has become increasingly important for market participants to work with lawyers and other experts to prepare for potential cyber attacks before they occur, that is, to design a cyberthreat monitoring plan, respond to potential breaches and understand when information needs to be reported outside the organization and to whom.
Regarding disclosure guidelines, although there is currently no explicit disclosure mandate regarding cybersecurity risks and cyber incidents, observes Roisman, the SEC issued guidelines in 2018 that specify that companies can be obliged to disclose these risks and incidents under Reg SK and Reg. SX, which require disclosure of risk factors, business and operations, MD&A and other matters. According to Roisman, the adoption and implementation of effective disclosure controls and procedures, which in turn rely on “engaged and informed officers, directors and others”, is a “necessary precondition” to provide adequate and timely disclosure.
Cybersecurity, Roisman notes, may also involve internal control over financial reporting, highlighting the SEC’s 2018 21 (a) report regarding nine companies that were victims of cyber fraud as a result of transferring their employees’ funds to pay. false “invoices” in response. deceptive electronic communications.
And Roisman observes, law enforcement has also “brought two notable settled actions this summer involving disclosures of state-owned companies regarding cybersecurity incidents.” Here, Roisman highlighted recent cases against First American Financial Corporation and Pearson plc.
Finally, Roisman points to the emergence in the SEC’s most recent regulatory program of potential cybersecurity regulation. (See this post from PubCo.) While he denies having laid eyes on a draft proposal, he has his own ideas that he hopes to see in the anticipated proposal, including these points:
âFirst, we need to clearly define any new legal obligation. Second, we must ensure that these obligations do not create inconsistencies with the requirements established by our sister government agencies. Third, we must recognize that some registrants have more resources than others, and we must not try to define the resource requirements of an entity. And finally, as the businesses of issuers vary, the cybersecurity risks they face will also vary, and therefore a principled rule would likely work better. “
In particular, Roisman stresses the importance of working with other regulators, law enforcement and the national security community to ensure that the SEC’s proposal does not conflict with their mandates, such as a warning against disclosure by law enforcement or national security agencies. He also cautioned that any disclosure requirements should focus on obtaining Equipment information and tailored to avoid the disclosure of a âroadmap on how to infiltrate a registrant’s systemsâ.
In conclusion, Roisman offers a few ideas that businesses might consider undertaking right now. For example, companies may want to identify in advance experts they can call in the event of a cyber incident. In his view, this type of effort would be âprudent and diligentâ. Another proactive way to mitigate potential harm would be through tabletop exercises. While these activities do not necessarily cover all circumstances, “they provide a level of proactive procedures and actions that a business can undertake in recognition of this potential risk.”[View source.]