Chair Gensler Cybersecurity Speech – Cybersecurity and Securities Law

On March 9, 2022, as you can read in this Meeting Notice, the SEC is meeting to consider rule making about “Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure.”

As a bit of background, on January 24, 2022, Chair Gary Gensler delivered a speech titled “Cybersecurity and Securities Laws” at the Northwestern Pritzker School of Law’s Annual Securities Regulation Institute.  He addressed cybersecurity from a variety of perspectives, including a discussion of what may be the very first “hack”, a telegraph scheme in France in 1834!  His remarks included this discussion of public company cybersecurity disclosures, which provides important insights for drafting risk factor and related cybersecurity disclosures in 34 Act reports:

Public Companies

Next, let me turn to public companies’ disclosure with respect to cyber risk and cyber events.

The basic bargain is this: Investors get to decide what risks they wish to take. Companies that are raising money from the public have an obligation to share information with investors on a regular basis.

Disclosure regimes evolve over the decades. Cybersecurity is an emerging risk with which public issuers increasingly must contend.

Thus, I’ve asked staff to make recommendations for the Commission’s consideration around companies’ cybersecurity practices and cyber risk disclosures. This may include their practices with respect to cybersecurity governance, strategy, and risk management.

A lot of issuers already provide cyber risk disclosure to investors. I think companies and investors alike would benefit if this information were presented in a consistent, comparable, and decision-useful manner.

In addition, I’ve asked staff to make recommendations around whether and how to update companies’ disclosures to investors when cyber events have occurred.

Make no mistake: Public companies already have certain obligations when it comes to cybersecurity disclosures. If customer data is stolen, if a company paid ransomware, that may be material to investors. As recent cases show, failure to make accurate disclosures of cybersecurity incidents and risks can result in enforcement actions.

You can find links to discussions of cybersecurity enforcement cases listed in this post about SEC enforcement priorities.

As always, your thoughts and comments are welcome!

Leave a Reply

Your email address will not be published. Required fields are marked *