- Companies facing sharper regulatory scrutiny of their cyber weaknesses need to coordinate employees devoted to cybersecurity with those responsible for disclosing cyberattacks, according to Brent Wilner, a Securities and Exchange Commission (SEC) senior counsel.
- “What you have here is sort of this disconnect between the real cybersecurity experts — the people who can, you know, the CISOs that understand the nature of the incident, the nature of the breach, the nature of the information that’s been exposed — and the people who are making the disclosure,” according to Wilner, senior advisor to the SEC’s Crypto Assets and Cyber Unit.
- “Public companies need to be mindful of how they can bridge that gap,” Wilner said Thursday at Securities Enforcement Forum West. “This is really critical.”
The SEC under Chair Gary Gensler has bolstered investor protections against losses in crypto markets and mismanagement of cyber risks.
The SEC in March proposed tougher, more detailed rules for cybersecurity disclosure, including deeper company reports on cyberattacks and regular filings on cyber risk management, governance and strategy. Companies would need to report breaches within four days.
“Consistent, comparable and decision-useful” disclosure standards “would strengthen investors’ ability to evaluate public companies’ cybersecurity practices and incident reporting,” Gensler said before the commission approved the proposal in a 3-1 vote.
Gensler this month announced plans to expand the SEC’s Cyber Unit to 50 enforcers from 30, adding investigative staff attorneys, trial counsels and fraud analysts and renaming it as the Crypto Assets and Cyber Unit.
The revamped enforcement team will focus on investigating violations in securities law related to crypto asset offerings, exchanges and lending, as well as staking products, decentralized finance (DeFi) platforms, nonfungible tokens (NFTs) and stablecoins.
Since its creation in 2017, the group has moved against SEC registrants and public companies that failed to limit cyber risks or disclose cyber-related risks or breaches.
Wilner led the group in an investigation that culminated this month in a $5.5 million fine against NVIDIA for allegedly failing to disclose the impact of cryptocurrency mining on the company’s sales of graphics processing units during two quarters in fiscal year 2018. A NVIDIA spokesperson declined to comment.
Companies targeted in a cyberattack need to fully disclose the incidents rather than in public statements vaguely refer to the breaches as hypothetical threats, Wilner said.
Wilner cited SEC Cyber Unit action against Pearson, a London-based provider of educational publishing, that agreed last year to pay $1 million to settle SEC charges that it misled investors about a 2018 cyberattack. Hackers stole millions of records from Pearson, including birth dates and email addresses, the SEC said in August.
Pearson in a semiannual filing with the SEC in 2019 “characterized the risk of such a cyber event as hypothetical and similarly, in another statement, characterized the type of information that could have been taken as part of the incident as hypothetical,” Wilner said.
“If you’re going to speak to the market and you’re going to characterize your risk related to cybersecurity, and you do so in a hypothetical way when you already have information to indicate that you already had that exact risk manifest — that’s going to lead to our raising concerns about it from a disclosure perspective,” he said.