By Soyoung Ho
Cybersecurity issues remain a priority for the commission, said SEC Chairman Jay Clayton on October 23, 2019, as public companies will likely continue to experience damaging attacks to their computer systems and the theft of large amounts of personal information about their customers.
He said the SEC’s Division of Corporation Finance (CorpFin) will continue to look closely at cybersecurity disclosures as part of routine review of company filings.
CorpFin is looking at “the types of disclosures [companies] are providing, whether they are giving investors adequate picture, the risks presented, including things like protection of intellectual property”, Clayton said at the Securities Enforcement Forum 2019 hosted by Securities Docket in Washington. “You know, it’s a huge asset. But if you can’t protect it, you need to tell your investors, ‘hey, I have this proprietary technology, I have this know-how, I have these trade secrets whatever, but they are at risk’. And investors should understand that.”
Among other commission efforts, Clayton said the Office of Compliance Inspections and Examinations (OCIE) is not only looking at infrastructure but also cyber resiliency.
“I think people need to understand you are not only trying to protect what you have, but also be in a position that if something happens, you can rebuild it and get back to a functioning mode.”
Some corporate governance professionals and investors have been advocating for a requirement that one member of the corporate board be a cybersecurity expert. A subcommittee of the SEC’s Investor Advisory Committee about two years ago discussed whether the commission should require public companies to include, among other things, information about whether any member of the board has experience, education, or expertise in cybersecurity. And if it does not, then the company should explain why it believes it is not necessary for the company to adequately manage risks.
Soon after the discussion, the SEC in February 2018 published guidance on cybersecurity disclosures, and the advisory panel did not pursue a recommendation for the commission to consider.
Release No. 33-10459, Commission Statement and Guidance on Public Company Cybersecurity Disclosures , expands on the 2011 interpretive guidance in Disclosure Guidance: Topic No. 2, Cybersecurity . Both statements summarize the requirements public companies have to inform investors about the risks and threats they face to their information technology systems. The SEC published Release No. 33-10459 following persistent complaints by investors that companies have been too slow to provide information about cybersecurity issues, and when they do, the information was of little use.
Release No. 33-10459 does not say whether public company board should have a cybersecurity expert member. It does say that a company must disclose the extent of the board’s role in overseeing the company’s risk.
“To the extent cybersecurity risks are material to a company’s business, we believe this discussion should include the nature of the board’s role in overseeing the management of that risk,” the SEC said in the guidance. “In addition, we believe disclosures regarding a company’s cybersecurity risk management program and how the board of directors engages with management on cybersecurity issues allow investors to assess how a board of directors is discharging its risk oversight responsibility in this increasingly important area.”
At the securities enforcement event, Clayton disagreed that boards should have a cybersecurity expert.
“Should boards be focused on the issues? In virtually every industry I can think of, yes,” he said. “Do I think we should be prescriptive about having a particular type of person on the board? I think making sure that boards have people who are qualified be on audit committees. It’s a really good thing. You need people who understand auditing, understanding financial reporting. That’s a good counterweight to management.”
But cybersecurity expertise is different, he indicated. “Sitting around a boardroom, I want to know as a board we have a real sense of what this means to a company. If that’s not the case, then maybe you need to get somebody, have access to expertise, then you should be asking questions,” Clayton said. “I don’t know we have 4,400 cyber experts.”
Subscribe to our Checkpoint Daily Newsstand email to get all the latest tax, accounting, and audit news delivered to your inbox each weekday. It’s free!