On March 26th, the U.S. Securities and Exchange Commission hosted a day-long roundtable to discuss cybersecurity and the ensuing issues and challenges for the securities markets and public companies.
The roundtable was intended as a forum in which the SEC could become better informed about these issues and challenges by talking with the marketplace, fellow agencies, and representatives from the private sector who understand cyber risks and how best to combat them, while providing these other actors with the opportunity to engage the Commission on these developing issues.
The SEC first signaled its interest in cybersecurity issues back in 2011 when it released guidance to public companies suggesting detailed cyber risk and mediation disclosures. Since issuing that guidance, the Commission has issued a series of comment letters on these disclosures and has received advice to heighten these standards and/or make them mandatory. These suggestions were part of the public dialogue at the roundtable.
Major themes of the day included:
- The need for a public-private partnership to engage in information sharing and technical assistance
- The value of a cyber incident response plan in advance of an attack
- The level of board engagement/best practices
- That there is no one set of solutions that can address all industries, but some approaches that can be taken up on a voluntary basis by various industries
- While more guidance on cyber disclosure topics may be useful, mandates might create more problems while yielding no new solutions.
1. A Public-Private Partnership
It is possible that the roundtable itself was intended to demonstrate how this might be helpful, as private company speaker after speaker indicated that the opportunity to discuss the challenges was in itself useful. Some also indicated that real-time tips from governmental agencies had helped avert incidents in the past.
Hurdles to communication such as needing security clearances and hesitance from legal advisors on bringing in the government, were acknowledged and examined along with possible solutions or approaches.
2. Cyber Incident Response Plan
Some of the speakers were blunt: Those with pre-existing, tested plans were better able to minimize and survive serious attacks. Separate panels composed of financial services firms and market participants discussed in detail the level and frequency that such plans should be tested.
Financial institutions were acknowledged to be at ground zero when it comes being a cyber-attack target and to have done the best job of information sharing and stress testing.
3. Board Involvement
Corporate boards are asking questions but are not necessarily equipped with intense technical understanding of all of the issues (nor should they be expected to be cyber specialists). Many are including cyber risks as part of their enterprise risk management (ERM) assessment.
The question was raised as to best practices: Should companies have a separate cyber/technology committee (similar to the audit committee or risk committee)? Several roundtable participants indicated that other than for big data/online retailers and similarly situated companies, an ERM approach would likely to be a suitable approach.
4. No One Universal Solution
Some background on previous, unsuccessful attempts at Congressional action to make cyber solutions was helpful in explaining the issuance of Executive Order 13636, Improving Critical Infrastructure Cybersecurity, which directed NIST to work with stakeholders to develop a voluntary framework using existing standards and practices to reduce cyber risks to critical infrastructure.
While focused on critical infrastructure industries, the NIST framework would be industry-specific, involve public and private stakeholders and be voluntary in nature. It may also serve as an excellent communication tool to assist interested parties (including the board) to engage in strategic thinking and decision making in the cyber space.
Ultimately expanding this framework to non-critical infrastructure sectors was suggested
5. More Guidance on Disclosure May be Useful; Dictated Standards – Not So Much
There appears to be lot of middle ground within the spectrum that runs from disclosing simply boilerplate risks and attempts at risk mediation and, on the other end, publishing a roadmap of the firm’s cyber vulnerabilities. The SEC’s guidance on public company cyber exposure disclosures was intended to be helpful to investors – but boilerplate, used all too frequently, doesn’t allow shareholders to do this.
There are also state laws on disclosure but these tend to focus on personally identifiable information (PII), such as credit card information or social security numbers, and only apply once there has been a system intrusion.
While historic information on company stock price movement following the announcement of a cyber event seem to show little correlation, this may be changing and shareholders may want to reward companies that can differentiate themselves from others in their industry.
Although all companies in an industry may face the same exposures, it may be that different mitigation strategies may yield different outcomes – and be a way for companies to differentiate themselves. (Note that the SEC’s guidance suggested that mitigation tools be disclosed in addition to the risks themselves.)