Cybersecurity Disclosure and Investor Protection: Is Less, More?

by Edith Orenstein

Can too much of a good thing be bad? What about disclosure of the risks of cybersecurity breaches in SEC public filings?

An SEC roundtable on cybersecurity focused on the requirements of the commission's 2011 Guidance on cybersecurity disclosure, compliance practices and recommended actions to help the SEC to fulfill its dual mission of encouraging capital raising while protecting markets and investors.

SEC's 2011 Guidance 

As a baseline point of reference, the U.S. Securities and Exchange Commission’s Division of Corporation Finance (DCF, or CF) released CF Disclosure Guidance Topic No. 2: Cybersecurity in 2011.  The document, which is not a formal position of the commission or standard,  states:
We are mindful of potential concerns that detailed disclosures could compromise cybersecurity efforts -- for example, by providing a “roadmap” for those who seek to infiltrate a registrant’s network security -- and we emphasize that disclosures of that nature are not required under the federal securities laws.

Current Disclosure Status

When asked by SEC commissioners and senior staff what types of disclosures have resulted from the 2011 guidance, most of the  panelists' responses fell into two categories:
  1. Companies provided no disclosure or very little disclosure of any actual cyber breaches, often on advice of counsel or otherwise, based on a determination that the event(s) was(were) ‘not material’, or
  2. Companies made a very ‘boilerplate’ disclosure.
The reasons given by panelists for ‘boilerplate’ disclosures were much like the reason cited in the SEC’s 2011 rule: there was concern not to provide, via public disclosure, a 'roadmap' to cyber vulnerabilities that could be used to plan cyberattacks against the company.

David Burg, global and U.S. advisor, cybersecurity leader, PwC noted, “There are very real cybersecurity threats, whether they are made public or not.”

Attorney Douglas Meal of Ropes & Gray noted, “A company disclosing a cybersecurity risk that is not otherwise disclosed could be viewed as doing as much damage as the attacker.” He added, “There is a tremendous disincentive to disclose a cybersecurity breach, if it would not otherwise become public.”

Asked by SEC Chair Mary Jo White if her company is ever specifically instructed by DHS not to disclose information publicly, Leslie T. Thornton, vice president and general counsel, WGL Holdings, Inc. and Washington Light and Gas Co. replied, “Sometimes we are told by the government that something is classified; we have to determine what we can disclose.” She added she is hopeful government agencies would understand the challenges her company faces with some agencies asking her to keep information classified, and others placing duties to disclose certain matters to investors on her company.

Cyber is Threat #1, Comey Tells Congress

SEC Chair White, citing remarks made by FBI Director Jim Comey last fall, stated in her opening remarks  that the scope of the cyberthreat problem exceeds the threat of (physical) terrorism.

This message was hammered home in Comey’s testimony at budget hearings in Congress and the Senate last week.

Ari Schwartz, acting senior director for cybersecurity programs, National Security Council, told the SEC roundtable, “The president has focused on the need for critical infrastructure. The starting point is to have an attitude in place that cybersecurity is risk, and what do market participants need to know about risks.”

He added, “We need Congress to act in this space, we hear this in a bipartisan way. The president issued executive orders (see Executive Order: Improving Critical Infrastructure Cybersecurity), the agencies are working together, NIST issued its cybersecurity framework.” (See: NIST Cybersecurity Framework. See also: DHS Critical Infrastructure Partnership Advisory Council (CIPAC), and DHS Critical Infrastructure Cyber Community C3 Voluntary Program.)

Larry Zelvin, director, National Cybersecurity & Communications Integration Center, U.S. Department of Homeland Security, said, “You can lock down your controls here, but if portions of your business are overseas, you are vulnerable to cyber [threats]."

He encouraged companies to engage in  discussions with DHS.  “We have the ability to share our information with all the ISPs and law enforcement to go after bad people;  cybersecurity and intelligence can see where an adversary is  going next. It's about trust that government can use information appropriately” he said.

Asked by Commissioner Michael Piwowar if there are particular kinds of cyber attackers the government agencies are concerned about, DHS’s Zelvin said, “There are nation states coming after you, they see you as a representation of the country;  I worry about inside threats (as well).”

The Private Sector’s Response

Mary Galligan, director of the Cyber Risk Services Practice of Deloitte and a former special agent in charge of Cyber and Special Operations for the FBI’s New York City Office,  said  “the more quickly a [cyber] incident is detected, the easier it is to recover.”

"We cannot close every cybersecurity vulnerability,” Galligan said, but she added it is very important to conduct "a true risk assessment/baseline,” as well as focus on “how do I monitor the monitors,” i.e.:  1) how are we monitoring what data leaves my company, (2) do we have a cybersecurity incident response plan, and (3) is that cybersecurity response plan up to date?" She added, “We see companies doing (cybersecurity) war games, [as simulations]."

Perhaps most significantly, Galligan noted, “The cybersecurity issue starts at the keyboard.”

“We are seeing more organized use of [credit card] information; and rapid development of malware,” said Andy Roth of Denton’s LLP, where he serves as co-head of Denton’s privacy and cybersecurity group.

Karl Schimmick, managing director, Financial Services Operations, SIFMA, said it is important to, “Focus on the outcomes: compliance is not the outcome. You can be in compliance, and still be vulnerable.”

John Reed Stark, a Managing Director in Stroz Friedberg’s office and former chief of the SEC’s Office of Internet Enforcement in the Division of Enforcement,  cautioned the SEC chair, commissioners and senior staff at the roundtable, “I urge you to be judicious in your enforcement referrals; if you are not sensing a fraud, hopefully you will consider this [advice].” He continued, “I am worried a lot of companies won't be able to give you the satisfaction that they are giving you everything they can.”

The Bottom Line: The Challenges of Cost-Benefit

My two cents: The more I read about cyber threats, the more harrowing the cybersecurity threat  becomes, not only with respect to the financial markets, but also  to critical infrastructure.

‘The Bottom Line’ often refers to total cost vs. total benefit. The SEC and others have remarked on difficulties in quantifying or measuring ‘costs’ and ‘benefits,’ and in the case of the costs of cybersecurity disclosures in particular,  it would appear the potential cost of adding risk through detailed disclosures of cyber break-ins could overcome the potential benefits of disclosure.

As some panelists suggested, a ‘prudential’ regulatory approach of having confidential discussions between the SEC and companies, may be a better form of “disclosure” with respect to this particular issue; and boilerplate information may be the only  disclosure that can  be given safely to avoid providing ‘roadmaps’ of vulnerabilities to third parties.

The issue of cyber disclosure could be a case where less is more to avoid providing a roadmap to cyber terrorists,  additional reputational damage, and  needlessly fueling the plaintiff’s bar. Companies reeling from a cyber attack are least fit to face procyclical affects of further downward pressure on their stock price, credit ratings or other aspects of their financial or physical security from public disclosures that perhaps could be as effective, or more effective, if provided  privately to the SEC and other federal agencies tasked with market protection, analogous to a prudential regulation capacity.

Chair White remarked toward the end of the roundtable, “What you worry about is ‘rational thinking’ that may not lead to meaningful investor disclosure.”

“Guidance for disclosure by critical infrastructure companies would be helpful,” said Washington Gas & Light's Thornton.

However, SIFMA's Schimmick warned, “Think through cost-benefit; Are you putting a sector at greater risk by putting [a new]  regulation into place?”

Roberta Karmel, a former SEC commissioner and currently a professor at Brooklyn Law School, stated during the roundtable, “This may be an area where more disclosure is not in the public interest.”

She added, “I have a resistance to the idea that when a matter becomes an important matter of public policy, the SEC should be tasked with doing it.”

Following the roundtable, we caught up with Karmel for any additional comments, and we appreciate her taking the time to share this additional overall observation:

The SEC's primary cybersecurity mission should be to monitor and assist security infrastructure institutions and broker dealers and investment advisors to safeguard the integrity of their systems--the subject of the two afternoon panels. Requiring more disclosure by public companies beyond a materiality standard could be more informative to hackers than investors. In some cases national security concerns could be implicated. So the commission needs to be very careful in crafting any new disclosure requirements.
What’s Next?

“We’re working with the other agencies in the financial services group to implement the new NIST framework," SEC spokesman John Nester said. As to plans for post-roundtable action, he said, "staff are continuing to consider the issues raised.”