SEC Issues Clarification on Cybersecurity Guidance
Have you ever watched Mr. Smith Goes to Washington? Everyone has their own favorite scene, but my favorite was when California Representative Anna Eshoo grilled Mr. Smith for his improper oversight and lack of understanding of cyber risk.
If you don’t remember James Stewart acting out that dramatic scene in Capra’s iconic film, that’s because I’m referring to the Congressional hearing on the Equifax breach where Richard Smith, the former Chair and CEO of Equifax, answered questions from the House Energy and Commerce Subcommittee on October 3, 2017. In the hearing, Representative Eshoo shared that in her discussions with Silicon Valley CEOs, they regularly cite two main reasons for data breaches: one, lack of proper system hygiene, and two, very poor cybersecurity management.
SEC Clarifies Breach Disclosure Obligations
This February, in the widening ripple-effect of the Equifax and other prominent breaches, the SEC issued an “interpretive release” which provided additional clarification to its 2011 cybersecurity guidance. Specifically, the interpretive release emphasizes the following three points:
- Cybersecurity Policies & Procedures. The SEC strongly encourages companies to examine which cybersecurity policies and procedures should be adopted, and to assess whether or not they have sufficient disclosure reporting controls and processes in place. “Controls and procedures should enable companies to identify cybersecurity risks and incidents, assess and analyze their impact on a company’s business, evaluate the significance associated with such risks and incidents, provide for open communications between technical experts and disclosure advisors, and make timely disclosures regarding such risks and incidents.” The SEC is highlighting that senior management needs to be informed of, and enabled to make, disclosure decisions when it comes to cyber risk issues.
- Cybersecurity-related Insider Trading Prohibitions. The interpretive release stresses the need for Board Directors to be on alert for any warning signs of potential insider training as a result of apparent cybersecurity risk issues or ahead of disclosures. The need to remind executives and other employees not to use their insider knowledge of material cyber risk factors or imminent disclosures was likely a reaction to three Equifax executives selling shares worth $1.8 million days after the company discovered that they had a cyber breach. Update: On March 14th, 2018 Equifax’s former CIO, Jun Ying, was indicted on federal charges for insider trading practices related and prior to Equifax’s public announcement of having their 2017 data breach..
- Board of Directors’ Risk Oversight Duties. The Board of Directors has a fiduciary duty to oversee a variety of risk factors, particularly risks that would have any type of material impact on the company. In this release, the SEC re-emphasizes that the Board must describe how it administers its risk oversight functions, as well as the relationship between directors and senior managers during the management of any potential material risks. The SEC opines that cyber risk issues with potential materiality impacts should be included as part of the discussions pertaining to those material risk oversight functions and relationships with senior management on their risk management. Given the severe impacts that may follow a significant cyber incident, the SEC is clearly trying to nudge Board Directors into taking a more proactive approach to cyber risk governance.
How seriously should companies take the SEC’s interpretation and guidance on cyber risk? The answer is: very seriously. However, companies won’t need to take the guidance seriously because they should fear SEC enforcement actions – the original 2011 SEC guidance on cybersecurity suggested that the SEC would not yet enforce the guidance it had issued, but rather companies should take their recommendations seriously because it’s simply good governance. Cyber risk can have devastating financial and reputational impacts.
I Yield Back the Remainder of My Time
Representative Eshoo’s questions to Mr. Richard Smith were spot-on in highlighting the need for senior leadership to increase their cybersecurity literacy and properly manage this growing risk issue. To paraphrase, the Congresswoman’s asked:
As CEO at the time…
- When you become aware of the breach, and what did you say to your CIO?
- Did you understand what the vulnerability was?
- Did you understand what the patch meant?
- Did you understand the need for timeliness to have this fixed?
- Did anything change in the IT department, and, did you implement any new policies?
As a business leader, you need more than questions. You need to understand how cyber risk influences your business’ broader enterprise risk. Our dynamic and interactive Resolve training program provides a new level of confidence for today’s business leaders.