On October 29, 2021, SEC Commissioner Elad L. Roisman delivered a speech to the Los Angeles County Bar titled “Cybersecurity: Meeting the Emerging Challenge.” In this speech he addresses important cybersecurity matters, beginning with this introductory section – “Understanding that You May be a Victim.”
“Before I go further, it’s important to acknowledge a point that is sometimes overlooked in discussions about cybersecurity. In the case of cyber-crimes, companies are the targets and victims. The last thing a company wants is to suffer this kind of criminal and illegal attack. But, today, the threat of a cyber-attack is so constant and significant for every market participant that it should be viewed as a substantial likelihood.
The SEC has imposed specific obligations on particular registrants relating to certain cybersecurity risks. But it’s undeniable that our registrants, who have more general obligations under the securities laws—such as to serve the best interests of clients or to shareholders—also are accountable for taking measures to prevent and mitigate damage from these threats as part of their broader responsibilities.
Accordingly, it has become increasingly important for market participants to work with counsel and other experts on preparing for potential cyber-attacks before they happen—that is, devising a plan for monitoring for cyber threats, responding to potential breaches, and understanding when information must be reported outside the company and to whom.”
After this assertion that cyber-attack should be viewed as a risk with a “substantial likelihood” and that companies should take measures to address this risk, he discusses cybersecurity risk for a variety of entities that the SEC regulates, including exchanges, SRO’s, advisors, broker dealers and others.
In the section addressing public issuers, he reviews the SEC’s 2018 Release “Commission Statement and Guidance on Public Company Cybersecurity Disclosures.” In a related footnote he mentions that the Division of Corporation Finance “blazed trail” for this release with Disclosure Guidance Topic 2. He reminds issuers that disclosure requirements in areas including risk factors, description of the business and MD&A may create obligations to disclose cybersecurity-related matters. He also mentions that the 2018 Release focuses on the importance of disclosure controls and procedures. (See this post for an enforcement case about cybersecurity-related disclosure controls and procedures.)
Commissioner Roisman also discusses internal accounting controls over cybersecurity risk, mentioning the SEC’s 2018 “21(a) Report” that focused on cases where companies had been victimized in cybersecurity-related fraud. That report, which did not enforce against the victim companies, reminded companies that internal accounting controls should address these kinds of risks.
Commissioner Roisman notes that the SEC’s rulemaking agenda includes issuer cybersecurity matters, but that no formal rulemaking has taken place yet. He provides these thoughts about possible rulemaking:
“But I will let you know some of the things that I would be looking for as I consider any additional rules in this area. First, we need to define any new legal obligations clearly. Second, we need to make sure that these obligations do not create inconsistencies with requirements established by our sister government agencies. Third, we should recognize that some registrants have greater resources than others, and we should not try to set the resource requirements for an entity. And finally, because issuers’ businesses vary, the cybersecurity-related risks they face also will vary, and therefore a principles-based rule would likely work best.”
Commissioner Roisman’s thoughts provide helpful insights that can lead to action steps as we address cybersecurity risk going forward.
As always, your thoughts and comments are welcome!