Cybersecurity Docket recently hosted a panel of experts who discussed how companies and firms should deal with cybersecurity breaches and when and how to disclose these incidents at its 2019 Incident Response Forum. The panel, which included several former government officials and an assistant director from the SEC’s Division of Enforcement, outlined several factors to consider when determining when to disclose cyberattacks and how to approach regulators and enforcement officials in the event of data breaches.
When to disclose. John Reed Stark of John Reed Stark Consulting served for 11 years as the chief of the SEC ‘s Office of Internet Enforcement and moderated the discussion. He asked the panel when a public company must disclose that it has suffered a data breach. Elizabeth P. Gray of Willkie Farr, who spent 12 years at the SEC including serving as an assistant director of Enforcement and as counsel to SEC Chairman Arthur Levitt, said whether to disclose a cyber breach comes down to materiality. The information would be material if it would matter to a reasonable investor, she explained. She also emphasized the importance of the process in determining whether it is material, including consulting with the finance department, the legal department, the executives, and possibly the board of directors.
SEC Assistant Enforcement Director Deborah Tarasevich said that the Commission’s 2018 guidance on cybersecurity disclosures lists several risk factors that companies should consider when evaluating whether to disclose a cybersecurity incident. She stressed that it is a fact-specific inquiry, but some factors to examine include the nature, extent, and magnitude of the incident; the importance of the information on the company’s operations; and the potential harm to the company, which might be harm to the company’s reputation, to its financial performance, to customer and vendor relationships, and the possibility of future litigation or regulatory action.
Tarasevich also cautioned that the existence of an ongoing internal or external investigation does not mean that the cyber breach does not have to be disclosed. In addition, she warned against making disclosures about cyber breaches so boilerplate that they would not be helpful to an investor. However, she advised that when it comes to enforcement actions, the SEC will not second-guess good faith, reasonable decisions about disclosure. That said, there will be circumstances where disclosure is so lacking that the Division will bring enforcement actions, Tarasevich explained.
Serrin A. Turner of Latham & Watkins, who served as the lead cybercrimes prosecutor in the Southern District of New York, addressed the SEC’s comment letter process on companies’ financial disclosures. If SEC staff members see stories about a data breach in the press but do not see it in the company’s official disclosures, they will ask why the breach was not disclosed. One approach is to disclose the incident in an SEC filing without saying it was actually material, Turner suggested, noting that the SEC said it is helpful if companies, when describing risks, discuss incidents that have happened in the past.
Stark inquired about the SEC’s October 2018 Section 21(a) report, which detailed “business email compromises” (BECs) of nine issuers that were victims of schemes involving spoofed or compromised electronic communications from persons claiming to be executives of the companies or their vendors. The report found that the BECs resulted from insufficient internal controls. The companies were not named in the report, nor were they charged. According to Prudential Financial’s Andrew S. Pak, former senior counsel in the Department of Justice’s Computer Crimes and Intellectual Property Section, the main takeaway from the 21(a) report is not to think of documents that have the word “cyber” in them; it is necessary to think about controls that are just “human controls” that wouldn’t necessarily be linked up to a cyber program. Separating cyber policy from the specialized cyber documents is an important lesson from the Commission’s 21(a) report, Pak said.
Regulated entities. The panelists also discussed the issue of disclosing a cyber breach by regulated entities such as broker-dealers, investment advisers, and national securities exchanges. Gray said it is important that regulated entities have a system in place to address these incidents because it will make the response and the decision on materiality clearer. Regulated entities will have different assessments from public companies as to when they should go to their regulator (such as FINRA or state regulators) to disclose a breach.
Tarasevich advised that there are three main rules related to regulated entities and cyber incidents: (1) Regulation S-P, which requires investment advisers and broker-dealers to have policies and procedures in place reasonably designed to protect customer information; (2) Regulation S-ID, which protects against identity theft and applies to investment advisers, broker-dealers, and investment companies; and (3) Regulation SCI, which only applies to approximately 45 entities such as stock exchanges, clearing firms, and other entities that are critical to the functioning of the market system.
Regulation SCI requires that the subject entities have policies and procedures in place with regard to their systems, as well as requiring the entities to report to the SEC if they have any systems issues, including cyber-related issues, Tarasevich said.
Stark asked how regulated entities can avoid drawing the attention of the SEC when it comes to dealing with cyber breaches. Gray advised that it is important to have a cybersecurity system in place such as a breach response program that requires reporting up if a problem is detected. She also recommended working with counsel on the firm’s cyber system before an OCIE exam because OCIE examiners can and will refer matters to the Enforcement Division.
Stark asked about the SEC’s 2016 enforcement action against Morgan Stanley, where the firm agreed to pay a $1 million penalty due to its failure to protect customer information which was downloaded to an employee’s personal server and then hacked by a third party. Turner noted that Morgan Stanley is a sophisticated company with sophisticated controls that were supposed to make sure certain data was only available to employees with certain privileges. However, there was a glitch in the controls that was able to be exploited, he said. Turner observed that the SEC came down hard on Morgan Stanley, and they might not have been as harsh on a smaller firm.
Tarasevich added that Morgan Stanley’s control system at issue had not been audited in its 10-year existence. If you have policies and procedures in place to catch this misconduct, regularly review them and update them to make sure they are responsive to current risks, she advised.
Tarasevich added that Morgan Stanley’s control system at issue had not been audited in its 10-year existence. If you have policies and procedures in place to catch this misconduct, regularly review them and update them to make sure they are responsive to current risks, she advised.