Continuing our live updates from today’s SEC Cybersecurity Roundtable, below is an overview of the second panel discussion, which commenced at 11:15 a.m. EST and covered cybersecurity disclosure issues faced by public companies.
Topic 1: How do cybersecurity risks impact public disclosures and how have disclosures changed over time?
The panel noted that the nature of the cyber threat or attack will have an impact on whether a disclosure is made. For example, a company may not disclose an attack launched by a foreign government, especially when the company was notified of the attack by the government. Conversely, a disclosure is more likely to occur when a breach involves consumer or customer information.
Topic 2: Are cyber risks a unique threat from a disclosure standpoint?
The panel noted the SEC appears to apply a different standard when it comes to cyber risks as compared to other material risks. This emphasis suggests the SEC will require more comprehensive disclosures. For example, the SEC guidance discusses the need to disclose whether cyber insurance has been secured.
Topic 3: What is the level of board involvement?
The panel acknowledged that there has been an uptick in the level of attention from boards on the issue of cybersecurity. Boards are more focused on the nature, extent, and consequences of a cyber attack. Boards are also looking at the short, mid-, and long-term impact of a breach, and the company’s breach response. In other words, boards want to ensure that their breach response is conducted in a way that protects the company’s future performance.
There was a disagreement between panel members, however, on the level of board involvement. Several panelists suggested that boards should consider retaining members with cybersecurity expertise who can interact with management to control the threat. Others were concerned that boards may overstep the boundary of overseeing the company to running the company. In the end, all of the panelists agreed that the composition and structure of the board should be considered on a case-by-case basis.
Lastly, the panel discussed whether the audit committee is the right group to manage this risk. All of the panelists agreed that audit committees are becoming overworked and are the default committee for board issues. Although recognizing this problem, many on the panel believe that the audit committee is well positioned to manage cyber risks.
Topic 4: What do investors want to know?
Investor relation members of the panel want greater disclosure as to what information companies collect, how they use it, why it’s collected, how it’s maintained, and how long it’s maintained. The concern is that companies who possess greater amounts of information are more likely to be a target. Knowing this will allow investors to better determine the risk(s) possessed by specific companies.
Topic 5: What drives disclosure?
The panel agreed that securities laws are not the driver of cybersecurity disclosures. Rather, state laws and regulations are what most concern companies who are breached. If a breach is not public, companies are disinclined to disclose a breach due to the potential for lawsuits and regulatory scrutiny. If companies believe there is no obligation to disclose under state law, they will likely decide the breach was not “material” and not deserving of a disclosure under securities laws. Importantly, most companies believe they will be treated not as the victim of a breach, but rather as a perpetrator. These factors indicate why we only hear of breaches involving consumer information instead of breaches involving the theft of intellectual property or security protocols.
Topic 6: Materiality: Black and White or Grey?
The SEC acknowledged that cyber risks are unique, and an unmovable definition of the term “materiality” is not necessarily useful. The SEC solicited input on how they can work with the private sector to develop a workable standard. Panel members suggested that investors should not focus on cyber risks, i.e., stock prices don’t take a real hit after a breach, so mandating more disclosures are not appropriate. A concern is that the increased disclosures will subject companies to expensive lawsuits and regulatory reviews, which do impact stock prices.
Moderator: Keith Higgins, Director, Division of Corporation Finance, SEC
- Peter J. Beshar, Executive Vice President and General Counsel, Marsh & McLennan Companies, Inc.
- David Burg, Global and U.S. Advisor Cyber Security Leader, PricewaterhouseCoopers LLP
- Roberta Karmel, Centennial Professor of Law, Brooklyn Law School
- Jonas Kron, Senior Vice President, Director of Shareholder Advocacy, Trillium Asset Management LLC
- Douglas Meal, Partner, Ropes & Gray LLP
- Leslie T. Thornton, Vice President and General Counsel, WGL Holdings, Inc. and Washington Gas Light Company