By Elena Eyber, J.D.
In a panel discussion of the SEC Investor Advisory Committee held on March 10, 2022, the panelists focused on the importance of cybersecurity and the role it is playing as investors try to understand a company’s risk profile. The panelists provided an overview of the cybersecurity landscape, the impacts of attacks, and a review of current disclosure requirements and the information being provided to investors. Further, the panelists discussed what investors want to know and specific suggestions as to how current disclosure requirements could be changed to ensure that investors are provided relevant information without compromising the company’s approach to security.
The first panelist was Keith Cassidy, Associate Director in the SEC Division of Examinations and the head of the Technology Controls Program. Cassidy oversees a team responsible for conducting examinations of entities subject to Regulation Systems Compliance and Integrity (SCI) and providing technical assistance to the other national exam programs on technology related issues. His team also administers the SEC’s CyberWatch program, which is the primary intake point for information filed under Regulation SCI. His team also puts out risk alerts on ransomware and other cyberattacks.
The second panelist was Jeff Tricoli, Senior Vice President, Technology Risk Management at Charles Schwab. Tricoli stressed that Schwab has a very vigorous process for technology risk management. Tricoli is responsible for the oversight of technology risk and making sure the systems and applications are working appropriately. Tricoli pointed out that one of the key pieces is to be transparent with the Board which sets the risk tolerance. Tricoli looks at what is acceptable and what is not, and lets the Board know if the company is operating within the risk parameters set by the Board.
The third panelist was Joshua Mitts, PhD, JD Associate Professor of Law and Milton Handler Fellow Columbia Law School. Mitts summarized his research on the topic of cybersecurity and discussed a paper he recently wrote on disclosure of cybersecurity incidents. He discussed how there is too much investment by hackers to have a successful data breach. The profits they obtain by exploiting security vulnerabilities justify enhanced legal scrutiny. Mitts stressed that insider trading is difficult to prove, and it is effective to have ongoing cyber disclosure. Mitts also discussed the SEC’s proposed Form 8-K, Item 1.05 where disclosure arises only when a cybersecurity incident is determined by the registrant to be material. But what if a firm deems a cybersecurity incident immaterial? Is there a violation of the 8-K reporting rule? Mitts suggested that materiality issues need to be further refined.
The last panelist was Athanasia Karananou Director, Corporate Governance and Research Principles for Responsible Investment (PRI). She gave an introduction to the PRI and discussed cyber security from an investor perspective, engagement, key insights, disclosure expectations, and recommendations. PRI is investor-led and supported by United Nations since 2006 with goals of understanding the investment implications of environmental, social and governance issues and supporting signatories in integrating these issues into investment decisions. Karananou pointed out some of the challenges for investors that include difficulty navigating the cyber security landscape, not privy to internal management discussions, and poor cyber security disclosure. PRI’s collaborative engagement objectives include building investors’ knowledge, improving the amount and quality of company disclosure, and establishing investor expectations. One of the engagement insights Karananou pointed out is Board expertise where the companies did not rule out the possibility of appointing directors with cyber security expertise, but cyber expertise was not a priority for appointments. With respect to disclosure expectations, Karananou discussed common standards, emerging disclosure, and areas for expanded reporting. In conclusion, she recommended publication of a cyber security policy (including the extent of its coverage), how board expertise on cyber security is addressed, identification of a senior person or executive responsible for cyber security, and evidence of training to all staff provided on cyber security.
Chair Gary Gensler’s remarks. Gensler prepared remarks before the Investor Advisory Committee. He pointed out that on March 9, 2022, the SEC voted to propose new rules on cybersecurity disclosures for issuers. This was the third rulemaking project the SEC has proposed that implicates cybersecurity. Earlier this winter, the SEC voted to propose expanding Regulation Systems Compliance and Integrity (SCI) to certain government securities trading platforms. In February, the SEC voted to propose new obligations for registered investment advisers and funds with respect to cybersecurity. Gensler welcomed the panelists’ comments on these proposals.
Commissioner Hester Peirce’s remarks. Pierce also prepared remarks, pointing out that the SEC has just proposed a rule on cybersecurity disclosures. Pierce dissented from the proposal because of concerns that its prescriptive nature could serve to shape companies’ cyber-security programs rather than merely elicit disclosure. Pierce also welcomed input from the panelists to help shape the final rule.