- The Securities and Exchange Commission (SEC), having stepped up cybersecurity enforcement in recent years, plans to deepen its efforts to ensure clear cyber risk disclosures and solid internal controls, SEC Senior Counsel Arsen Ablaev said.
- The SEC Enforcement Division’s Cyber Unit “will continue to dig deeper into the area of cybersecurity-related disclosures and disclosure controls and internal controls,” Ablaev, a member of the Cyber Unit, said Thursday at Securities Enforcement Forum 2021. “You’ll be seeing more of the actions that we’ve been bringing fairly recently.”
- When sanctioning companies for failures in cyber risk disclosure, the SEC will likely index penalties to the extent of the damage, Ablaev said. If compromised data is related to a company’s “critical business, the more likely we are to find materiality and the more likely we are to assign a kind of higher penalty amount to these cases.”
Ablaev was an investigator in enforcement against Pearson, a London-based provider of educational publishing, which agreed to pay $1 million to settle charges that it misled investors about a 2018 cyber attack. Hackers stole millions of records, including birth dates and email addresses, the SEC said in August.
Ablaev was also involved in recent SEC enforcement against eight broker-dealers and/or investment advisors that will pay penalties for cybersecurity failures after hackers took over email accounts and gained access to the personal information of thousands of customers.
Tougher enforcement is just one sign of how the SEC this year has sharpened its focus on cyber risk. The agency also added “cybersecurity risk governance” to its rulemaking agenda.
A cyber attack can harm investors by undercutting the price of a company’s debt or equity security, SEC Chair Gary Gensler said last month at a webcast hosted by New York University Law School.
Cybercrime costs worldwide will likely total $6 trillion this year and annually rise 15% during the next five years, Moody’s Investors Services said, quoting Cybersecurity Ventures estimates.
SEC staff are drawing up a proposed mandatory rule for cyber risk disclosure, laying out when a company should consider an attack material and subject to disclosure, and how such disclosure should be made, Gensler said.
SEC guidance on cybersecurity disclosures released in February 2018 foreshadowed several of the company failures that prompted agency enforcement actions during recent years, according to Lorin Reisner, a partner at Paul Weiss Rifkind Wharton & Garrison.
The 2018 guidance “gives you a perspective as to the enforcement actions that have already taken place, and also what maybe we should reasonably expect in the future,” Reisner told the online forum.
First, a company needs to ensure timely, in-depth communication between its cybersecurity staff and its executives responsible for disclosure and major decisions, he said. “The open communication between the technical experts and the disclosure advisors and decision makers is really critical.”
Second, a board of directors needs to deeply involve itself in cybersecurity risk assessment and disclosure, Reisner said.
“The company’s disclosures at the outset should probably describe clearly the board’s role in connection with potential cybersecurity incidents,” he said.
Third, the SEC guidance describes how companies should weigh the materiality of a cyber attack, Reisner said.
“Materiality depends on the range of harm that such incidents could cause,” he said, including litigation, remediation, insurance and reputational costs from such attacks as ransomware, distributed denial-of-service (DDoS) and pilferage of information or data.
“It’s clear from the guidance that the commission recognizes that evaluating materiality inevitably will involve some subjective judgement,” Reisner said. “So having good procedures for evaluating the impact is clearly a very important aspect of the guidance.”
Fourth, a company should not describe as hypothetical a cyber attack that has already occurred, he said.
Finally, the SEC guidance suggests that the agency will take a flexible approach to the timing and scope of disclosure, Reisner said.
The agency “does fairly acknowledge that there are times that detailed disclosure could compromise security efforts by providing a roadmap to hackers,” he said. It indicates “that companies may need time to discern the implications of a cybersecurity incident and may also need to cooperate with law enforcement, which could affect the timing of disclosure.”
Ablaev confirmed that the SEC wants to avoid giving hackers insights into a company’s cybersecurity weaknesses.
“We don’t want a company putting out information that hackers can then use to exploit the company,” he said. But “once the hole is plugged, you should be able to tell investors what happened.”