Two men share securities regulation news

Breaking news and expert analysis on legal and compliance issues

[Back To Home][Back To Archives]

From Securities Regulation Daily, June 19, 2015

Congressmen ask Chair White to reboot cybersecurity guidance

By Mark S. Nelson, J.D.

Representatives Jim Langevin (D-RI) and Jim Himes (D-Conn) are asking SEC Chair Mary Jo White to put the agency on track to update its cybersecurity disclosure guidance. Freshened SEC views on this rapidly evolving topic could yield more timely, informative and less repetitive cybersecurity disclosures, the congressmen said in their letter.

“Investors deserve to know what preventative measures are being taken against cyber risks, and consumers deserve to know how their private information is being protected. SEC guidance must reflect the current threat landscape and the evolving technology challenges that companies face,” said Langevin, in a press release announcing the letter to White. Langevin is co-chair—along with Michael T. McCaul (R-Tex)—of the Congressional Cybersecurity Caucus and he sits on the House Homeland Security Committee and its Subcommittee on Cybersecurity, Infrastructure Protection and Security Technologies.

Himes, a member of the House Financial Services Committee and the Permanent Select Committee on Intelligence, added that the increasingly brazen nature of cyber attacks may have a “chilling effect” on both investors and those who buy companies’ products and services. “We look to the SEC to lead in this situation and set industry-wide standards for all listed companies.”

Comparability data lacking. According to Langevin and Himes, the SEC could help investors to compare companies’ cybersecurity efforts within the sectors in which the companies do business. The representatives cited a March 2015 Harvard Business Review article that highlighted the current lack of useful cybersecurity metrics for investors. The absence of good cybersecurity data may leave investors clueless about the longer-term effects of cyber attacks on shareholder value.

To this end, Langevin and Himes would have the SEC answer eight questions about how the agency deals with cybersecurity as part of its disclosure reviews, who within a company should be responsible for cybersecurity, how the SEC judges companies’ effectiveness in combating cyber threats, and when periodic reports (e.g., Form 8-K) may be needed after a cyber attack.

The congressmen also asked the SEC to mull five more questions about whether the agency should tell companies to disclose on Form 10-K how well their efforts compare to industry best practices on cybersecurity and what cybersecurity briefings are given to company directors and top executives.

Materiality revamp. Langevin and Himes also want the SEC to reconsider what “materiality” means in the context of cybersecurity disclosures. Citing the Department of Justice’s May 2014 charges against Chinese military hackers and a White House science council report, the Congressmen suggested that exiting definitions of materiality are “naive.”

According to Langevin and Himes, “materiality as it relates to cyber risk is particularly difficult to assess both because we lack sufficient data from past cyber attacks and because the effects are often not distinguishable from the many confounding variables surrounding a company's earnings.”

SEC guidance. The SEC’s current guidance, contained in CF Disclosure Guidance: Topic No. 2 (issued October 13, 2011), states that “material information regarding cybersecurity risks and cyber incidents is required to be disclosed when necessary in order to make other required disclosures, in light of the circumstances under which they are made, not misleading.”

Cybersecurity disclosures often appear in multiple locations within companies’ filings with the SEC. For example, these disclosures can appear in risk factors sections, management’s discussion and analysis, the business description, and in disclosures about legal proceedings. The SEC’s guidance has always recognized the fluid character of cybersecurity disclosures with the added understanding that companies must be up front with investors and regulators without giving would-be hackers a “road-map” to sensitive business data.

Last year, the SEC adopted Regulation Systems Compliance and Integrity (Regulation SCI) to deal with reporting by "SCI entities," including SCI self-regulatory organizations, alternative trading systems, plan processors, or exempt clearing agencies subject to the SEC's automation review policy.

Regulation SCI broadly covers many cybersecurity-related events for SCI entities. An “SCI event,” for example, can range from a systems disruption or compliance issue, to a systems intrusion. The regulation also applies to the development and testing of SCI entities’ business continuity and disaster recovery plans.

In April, the SEC’s Division of Investment Management issued guidance on cybersecurity for registered investment companies and advisers. The SEC’s Office of Compliance Inspections and Examinations also released a report on its cybersecurity examination sweep of registered broker-dealers and investment advisers this past February.

The House passed a pair of cybersecurity bills earlier this year, but the Senate has yet to vote on the topic following a failed attempt by Senate Majority Leader Mitch McConnell (R-Ky) to attach the cybersecurity bill to a defense bill. It is possible that the Senate will vote separately on the cybersecurity legislation. Last week, Sen. Dianne Feinstein (D-Cal), Vice Chair of the Senate Intelligence Committee, said the cybersecurity bill could get a vote once members have a chance to propose amendments to the current text.

MainStory: TopStory BrokerDealers FormsFilings InvestmentCompanies InvestmentAdvisers PublicCompanyReportingDisclosure RiskManagement

Securities Regulation Daily

Introducing Wolters Kluwer Securities Regulation Daily — a daily reporting service created by attorneys, for attorneys — providing same-day coverage of breaking news, court decisions, legislation, and regulatory activity.

A complete daily report of the news that affects your world

  • View full summaries of federal and state court decisions.
  • Access full text of legislative and regulatory developments.
  • Customize your daily email by topic and/or jurisdiction.
  • Search archives for stories of interest.

Not just news — the right news

  • Get expert analysis written by subject matter specialists—created by attorneys for attorneys.
  • Track law firms and organizations in the headlines with our new “Who’s in the News” feature.
  • Promote your firm with our new reprint policy.

24/7 access for a 24/7 world

  • Forward information with special copyright permissions, encouraging collaboration between counsel and colleagues.
  • Save time with mobile apps for your BlackBerry, iPhone, iPad, Android, or Kindle.
  • Access all links from any mobile device without being prompted for user name and password.