Thomson Reuters Tax & Accounting News

Featuring content from Checkpoint

Back to Thomson Reuters Tax & Accounting News

Subscribe below to the Checkpoint Daily Newsstand Email Newsletter

Clayton Backs Improvements to Cybersecurity Disclosures

During his confirmation hearing to become the SEC’s next chairman, Jay Clayton said he did not think public companies were providing investors with enough information about cybersecurity. He also said he supports a Senate bill that would require companies to disclose whether their board of directors have a cybersecurity expert.

Threats to cybersecurity have become enough of a concern among regulators, companies, investors, and consumers that the nominee to head the SEC wants U.S. companies to make more information public about the threats they face and their efforts to combat them.

“As I look across the landscape, discussion and understanding of cyber threats and their possible impact on companies, I question whether the disclosure is where it should be,” said Jay Clayton during his Senate Banking Committee confirmation hearing on March 23, 2017.

Clayton, a partner with the law firm Sullivan & Cromwell LLP, was responding to a question by Democratic Sen. Mark Warner of Virginia concerning the need for the SEC to examine disclosures about threats to cybersecurity.

Warner was especially concerned that Yahoo Inc. did not disclose a 2014 hack attack affecting 500 million user accounts until September 2016.

“It was fairly remarkable that Yahoo… did not feel that was material enough to file in their quarterly SEC filings,” Warner said. Moreover, “Less than 100 [public companies] over the last decade plus have ever reported any kind of cyber breach or violation as material information.”

Yahoo did not respond to a request for comment as this story was being written.

Even as Clayton said he did not think there was sufficient disclosure by companies about cyber risks, he did not say whether the SEC’s interpretive guidance related to computer attacks should be updated. In 2011, the SEC published Disclosure Guidance: Topic No. 2, Cybersecurity, which gave the agency’s views about public company obligations to disclose information about their technology risks.

Clayton said he believes disclosures should be based on materiality, which he described in the Supreme Court’s phrasing of information a reasonable investor would use for making investment decisions.

He added that he supports a Senate bill that would increase disclosure about directors’ role in cybersecurity. Sens. Warner, Jack Reed, a Democrat from Rhode Island, and Susan Collins, a Republican from Maine, on March 7 introduced S.536, Cybersecurity Disclosure Act of 2017, to require publicly listed companies to disclose whether any members of their corporate boards have cybersecurity expertise.

If companies do not have a cybersecurity expert on their board, they would have to explain why the expertise is not needed. Reed said the bill does not require particular action by companies but a disclosure. He asked if Clayton was “sympathetic” to the bill’s intent.

“In terms of whether there is oversight at the board level that has a comprehension for cybersecurity issues, I believe that is something that investors should know, whether companies have thought about the issue, whether it’s a particular expertise the board has, I agree,” Clayton responded. “It’s a very important part of operating a significant company.”

In introducing the bill, the senators noted that cyberattacks on businesses continue to increase in frequency and sophistication. They said 2016 was another record-breaking year with 1,093 breaches, an increase of 40 percent from 2015.

They noted, however, that according to a Deloitte LLP survey of risk managers at financial institutions, 42 percent said they thought their firms were effectively managing cybersecurity risk.

Moreover, they cited a 2016-2017 survey by the National Association of Corporate Directors that found 59 percent said it was challenging to oversee cyber risk, and only 19 percent said their boards have a high level of knowledge about technology risks.

© 2017 Thomson Reuters/Tax & Accounting. All Rights Reserved.