{"id":2105,"date":"2021-12-13T12:10:53","date_gmt":"2021-12-13T17:10:53","guid":{"rendered":"https:\/\/seci.wpenginepowered.com\/?p=2105"},"modified":"2021-12-13T12:10:53","modified_gmt":"2021-12-13T17:10:53","slug":"cybersecurity-insights-from-commissioner-roisman","status":"publish","type":"post","link":"https:\/\/seciblog.pli.edu\/index.php\/cybersecurity-insights-from-commissioner-roisman\/","title":{"rendered":"Cybersecurity Insights from Commissioner Roisman"},"content":{"rendered":"

On October 29, 2021, SEC Commissioner Elad L. Roisman delivered a speech to the Los Angeles County Bar titled \u201cCybersecurity: Meeting the Emerging Challenge<\/a>.\u201d\u00a0 In this speech he addresses important cybersecurity matters, beginning with this introductory section \u2013 \u201cUnderstanding that You May be a Victim.\u201d<\/p>\n

\u201cBefore I go further, it\u2019s important to acknowledge a point that is sometimes overlooked in discussions about cybersecurity.\u00a0 In the case of cyber-crimes, companies are the\u00a0targets and victims.\u00a0 The last thing a company wants is to suffer this kind of criminal and illegal attack.\u00a0 But, today, the threat of a cyber-attack is so constant and significant for\u00a0every market participant\u00a0that it should be viewed as a substantial likelihood.<\/p>\n

The SEC has imposed specific obligations on particular registrants relating to certain cybersecurity risks.\u00a0 But it\u2019s undeniable that our registrants, who have more general obligations under the securities laws\u2014such as to serve the best interests of clients or to shareholders\u2014also are accountable for taking measures to prevent and mitigate damage from these threats as part of their broader responsibilities<\/strong>.<\/p>\n

Accordingly, it has become increasingly important for market participants to work with counsel and other experts on preparing for potential cyber-attacks before they happen\u2014that is, devising a plan for monitoring for cyber threats, responding to potential breaches, and understanding when information must be reported outside the company and to whom.\u201d<\/p>\n

After this assertion that cyber-attack should be viewed as a risk with a \u201csubstantial likelihood\u201d and that companies should take measures to address this risk, he discusses cybersecurity risk for a variety of entities that the SEC regulates, including exchanges, SRO\u2019s, advisors, broker dealers and others.<\/p>\n

In the section addressing public issuers<\/strong>, he reviews the SEC\u2019s 2018 Release \u201cCommission Statement and Guidance on Public Company Cybersecurity Disclosures<\/a>.\u201d\u00a0 In a related footnote he mentions that the Division of Corporation Finance \u201cblazed trail\u201d for this release with Disclosure Guidance Topic 2<\/a>.\u00a0 He reminds issuers that disclosure requirements in areas including risk factors, description of the business and MD&A may create obligations to disclose cybersecurity-related matters.\u00a0 He also mentions that the 2018 Release focuses on \u00a0the importance of disclosure controls and procedures.\u00a0 (See this post for an enforcement case about cybersecurity-related disclosure controls and procedures<\/a>.)<\/p>\n

Commissioner Roisman also discusses internal accounting controls over cybersecurity risk, mentioning the SEC\u2019s 2018 \u201c21(a) Report\u201d<\/a> that focused on cases where companies had been victimized in cybersecurity-related fraud.\u00a0 That report, which did not enforce against the victim companies, reminded companies that internal accounting controls should address these kinds of risks.<\/p>\n

Commissioner Roisman notes that the SEC\u2019s rulemaking agenda<\/a> includes issuer cybersecurity matters, but that no formal rulemaking has taken place yet.\u00a0 He provides these thoughts about possible rulemaking:<\/p>\n

\u201cBut I will let you know some of the things that I would be looking for as I consider any additional rules in this area.\u00a0 First, we need to define any new legal obligations clearly.\u00a0 Second, we need to make sure that these obligations do not create inconsistencies with requirements established by our sister government agencies.\u00a0 Third, we should recognize that some registrants have greater resources than others, and we should not try to set the resource requirements for an entity. \u00a0And finally, because issuers\u2019 businesses vary, the cybersecurity-related risks they face also will vary, and therefore a principles-based rule<\/strong> would likely work best.\u201d<\/p>\n

Commissioner Roisman\u2019s thoughts provide helpful insights that can lead to action steps as we address cybersecurity risk going forward.<\/p>\n

As always, your thoughts and comments are welcome!<\/p>\n","protected":false},"excerpt":{"rendered":"

On October 29, 2021, SEC Commissioner Elad L. Roisman delivered a speech to the Los Angeles County Bar titled \u201cCybersecurity: Meeting the Emerging Challenge.\u201d\u00a0 In this speech he addresses important cybersecurity matters, beginning with this introductory section \u2013 \u201cUnderstanding that You May be a Victim.\u201d \u201cBefore I go further, it\u2019s important to acknowledge a point … Continue reading Cybersecurity Insights from Commissioner Roisman<\/span> →<\/span><\/a><\/p>\n","protected":false},"author":9,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":true,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[143,242],"tags":[],"coauthors":[154],"class_list":["post-2105","post","type-post","status-publish","format-standard","hentry","category-hot-topic","category-reporting"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"post_mailing_queue_ids":[],"_links":{"self":[{"href":"https:\/\/seciblog.pli.edu\/index.php\/wp-json\/wp\/v2\/posts\/2105","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/seciblog.pli.edu\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/seciblog.pli.edu\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/seciblog.pli.edu\/index.php\/wp-json\/wp\/v2\/users\/9"}],"replies":[{"embeddable":true,"href":"https:\/\/seciblog.pli.edu\/index.php\/wp-json\/wp\/v2\/comments?post=2105"}],"version-history":[{"count":0,"href":"https:\/\/seciblog.pli.edu\/index.php\/wp-json\/wp\/v2\/posts\/2105\/revisions"}],"wp:attachment":[{"href":"https:\/\/seciblog.pli.edu\/index.php\/wp-json\/wp\/v2\/media?parent=2105"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/seciblog.pli.edu\/index.php\/wp-json\/wp\/v2\/categories?post=2105"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/seciblog.pli.edu\/index.php\/wp-json\/wp\/v2\/tags?post=2105"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/seciblog.pli.edu\/index.php\/wp-json\/wp\/v2\/coauthors?post=2105"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}