Cybersecurity in the cross hairs of the SEC
Photo by Marina Noordegraaf

The SEC continues to increase its focus on cybersecurity preparedness. As we have reported in prior blogs here and here, we believe that cybersecurity will become an increasingly important element of the SEC’s disclosure and enforcement efforts. Recent events show that the SEC is ramping up its efforts in the cybersecurity area, and we believe that all companies who are potentially affected by these SEC activities should pay special attention to their cybersecurity preparedness and should anticipate possible SEC action in this area.

The SEC’s most recent activity in the cybersecurity area involves registered broker-dealers and registered investment advisers. These entities are logical choices for a cybersecurity focus because of the large volume of confidential and very sensitive customer information that they hold. The SEC’s Office of Compliance Inspections and Examinations (“OCIE”) announced this cybersecurity focus in an April 15, 2014 Risk Alert which stated that the SEC plans to mount an initiative to assess cybersecurity preparedness in the securities industry. The SEC had previously laid the groundwork for this initiative during a March 26, 2014 Cybersecurity Roundtable when Chair White stressed the vital importance of cybersecurity to our market system and consumer data protection. She also called for more public/private cooperation in strengthening cybersecurity preparedness. Other SEC participants at this Roundtable stressed the importance of gathering data and information regarding cybersecurity preparedness so that the SEC could determine what additional steps it should take in this area.

The OCIE’s cybersecurity initiative will assess cybersecurity preparedness in the securities industry and obtain data and information about the securities industry’s recent experiences with cyber threats and cybersecurity breaches. As part of this initiative, the OCIE announced that it will conduct examinations of more than 50 registered broker-dealers and registered investment advisers to obtain cybersecurity data and information and to assess the preparedness of these entities to defend against cyber threats. According to the Risk Alert, this investigation will focus on such things as Continue Reading SEC increases focus on cybersecurity

SEC Staff provide insight as to SEC agendaOn Tuesday, the Securities Law Committee of the Society of Corporate Secretaries and Governance Professionals met with officials from the Divisions of Corporation Finance, Investment Management, and Trading and Markets and the Office of the Whistleblower.  While neither new Chair Mary Jo White (confirmed in April) nor new Director of Corporation Finance Keith Higgins (starts at the SEC in June) was present at the meeting, the Staff provided some important takeaways.  Although the two hour meeting covered a significant amount of issues, the most important discussions involved the following topics: 

  • The Staff’s focus will be on Congressional mandates.  Although the Staff couldn’t give timelines, the remaining provisions from Dodd-Frank and the JOBS Act appear to be the focus of upcoming rulemaking activity.   Agenda items such as mandatory disclosure of political contributions, while constantly popping up in the news as imminent, would not fit into the stated focus.  The Staff noted that no one was working on rule making requiring the disclosure of political contributions, which is consistent with Chair White’s Congressional testimony last week
  • Issuers continue to have problems with erroneous reports from the proxy advisory firms.  The Staff noted that they continue to receive complaints from issuers specifically regarding errors, difficulty speaking to the correct person at ISS and Glass Lewis, and overlooking key aspects such as an issuer changing its fiscal year.  The Staff has met with ISS and Glass Lewis over the past year and has requested that the advisory firms improve their transparency.  The Society repeated its concerns with the proxy advisory firms and noted that the issues are acute when dealing with smaller issuers.
  • The Office of the Whistleblower is now adequately staffed and deep in implementation mode.  While only one award has been made under the program, no imminent changes are expected, despite the musings of a recent New York Times article
  • The Staff did a terrific job in responding to no action requests regarding shareholder proposals.  All but 25 requests were responded to in less than 60 days.  The Staff is very cognizant of the costs of missing printing deadlines and therefore reminds issuers to alert the Staff of not only print deadlines, but also notice and access deadlines.
  • The timeline for the four remaining controversial executive pay provisions of Dodd-Frank remains Continue Reading Recent meeting between the Society of Corporate Secretaries and Governance Professionals and SEC Staff provides insight

Cybersecurity legislationSenator Jay Rockefeller (D., West Virginia), the most vocal proponent of cybersecurity legislation, has renewed his focus on cybersecurity legislation. He has sponsored previous cybersecurity-related legislation, but has been unable to implement any meaningful legislation in this area. His prior sponsorship of the proposed Cybersecurity Act of 2012 initially seemed to draw support in the Senate, but it encountered strong opposition from the United States Chamber of Commerce. The Chamber strongly criticized this proposed legislation and went so far as to state that the Chamber would include senators’ votes on this proposed legislation in its annual “How They Voted” survey. In any case, this proposed legislation was not passed in 2012. 

One of the strongest aspects of the Chamber’s resistance to this proposed legislation was the assertion that American companies would be strongly opposed to the legislation.  To confirm the positions of American companies on this issue, Senator Rockefeller sent a letter to the CEOs of all Fortune 500 companies on September 19, 2012. The Senator’s office has now received responses to this letter and the majority staff summarized them in a January 28, 2013 Memorandum

Approximately 300 companies responded to the Senator’s letter. The companies that responded were predominantly larger members of the Fortune 500. According to the Staff Memorandum, the overall responses of the companies were favorable to potential cybersecurity legislation (with some important caveats). 

Based on the Staff Memorandum, there appears to be general support from the responding companies for a voluntary cybersecurity compliance program. The companies’ main objections appear to be concern about the Continue Reading Cybersecurity legislation continues to move forward

Resolutions by in-house counsel for 2013As we start 2013, I thought it would be fun to ask in-house counsel what their New Year’s resolutions were.  I wasn’t looking for the usual “go to the gym more/ lose weight/ get organized” type answers, but rather what corporate secretaries/ securities counsel would want to improve upon in 2013 in their professional lives.  I heard back from a variety of in-house counsel, some of whom wish to remain anonymous.  Many had similar types of goals for this year.  I want to thank Bob Lamm, Assistant General Counsel and Assistant Secretary at Pfizer Inc., and Stacey Geer, Senior Vice President and Associate General Counsel at Primerica, Inc., both of whom were especially helpful in coming up with this list.  Here are the top resolutions submitted by in-house counsel:

Refresh the board and committee self-evaluation process.  Now is a good time to refresh the board and committee self-evaluation process.  If your board and committees are like most, they may be “bored” with the process by now.  By asking the same questions every year, eventually the process becomes stale and the answers become predictable.  Rather than have the directors complete the same survey consider changing the questions, or better yet, having a third party facilitate the evaluation process.  Remember to set aside some time to discuss the evaluation because the discussion of the evaluation is the most important part of the process. 

Tweak your director orientation programA good director orientation program allows new board Continue Reading Starting the New Year off right: In-house counsel disclose their New Year’s resolutions

hacking a computerCybersecurity issues continue to be a hot topic for companies. As discussed in my prior blog posts, “Get ready for increased cybersecurity disclosure requirements” and “SEC pushes for disclosure of hacking incidents”, the SEC continues to focus on cybersecurity and data breach items and has now begun to encourage public companies to disclose them, even in the absence of applicable rules or regulations. The only official guidance from the SEC on cybersecurity disclosure continues to be the disclosure guidelines provided in October, 2011 in CF Disclosure Guidance:  Topic No. 2 – Cybersecurity (the “Release”). 

There has been some important movement on cybersecurity issues outside of the SEC. While this does not directly pertain to disclosure of these items, public companies should pay close attention to these developments since they may provide some valuable guidance in this area. These developments also confirm the importance of cybersecurity issues and support my position that the SEC will probably soon mandate additional disclosure requirements for cybersecurity items. 

On September 19, 2012 Senator John D. Rockefeller IV (D, West Va.) sent a letter to the CEOs of all Fortune 500 companies posing questions about these companies’ cybersecurity policies and related issues. His letter asked these companies to evaluate their roles and responsibilities in connection with cybersecurity legislation and reform and to work with the Federal government to successfully enact cybersecurity legislation. Responses to this letter are voluntary, but it is likely that most of these companies will respond in some fashion. The companies’ responses were requested by October 19, 2012. 

Senator Rockefeller has long been a very strong proponent of cybersecurity legislation, and he is clearly frustrated with the lack of progress in this area. He was instrumental in the introduction of both the Cybersecurity Act of 2010 and the Cybersecurity Act of 2012, both of which failed to gain Senate approval. The proposed Cybersecurity Act of 2012 was defeated by a filibuster in August 2012, and in his letter Senator Rockefeller attributes this filibuster to opposition from business and trade groups, particularly the United States Chamber of Commerce. He has supported President Obama’s proposed use of an executive order to enact cybersecurity protection outside of the legislative process, and he references this in his letter. Based on the language of his letter, however, Continue Reading Cybersecurity issues continue to draw attention

cybersecurity intrusionA number of well-known companies, including Zappos.com, Google, Quest Diagnostics, Eastman Chemcial and AIG, have recently experienced actual or potential intrusions into their computer systems and related confidential data. Some of these incidents have been active criminal attacks by sophisticated hackers, while others have resulted from situations such as lost or stolen laptops. The frequency and severity of hacking incidents have been steadily increasing.  In fact, virtually all companies today are subject to the risks of such incidents due to the widespread use of Internet and information technology. The advent of a substantial mobile workplace with workers accessing data remotely through smartphones, tablets, laptops and other devices has also multiplied companies’ risks in this area.  

As the risks have increased, the SEC has been recently increasing the pressure on public companies to disclose “hacking” and other cyberintrustion incidents in their regulatory filings. There are still no SEC rules governing such disclosure, but I believe that this has clearly become a high priority disclosure item. I also foresaw these increased cybersecurity disclosure requirements in my prior blog post (“Get Ready for Increased Cybersecurity Disclosure Requirements”). Public companies that experience a hacking or other cyberintrustion incident should carefully review the recent actions taken by the SEC and other public companies that have experienced these incidents.

The SEC took a major step in encouraging disclosure of hacking and other cybersecurity items with its issuance of “2011 CF Disclosure Guidance:  Topic No. 2 (Cybersecurity)” (the “Release”) in October 2011. This Release only provided general guidance on disclosure of cyberincidents. The SEC has not yet developed any rules or regulations on cybersecurity or hacking incident disclosure, although we believe that such rules and regulations will be enacted at some point soon. In any case, based on recent events it appears that the Commission is strongly encouraging such disclosure despite the lack of existing rules and, in some cases, engaging in de facto rulemaking.

Companies tend to resist disclosure of hacking incidents for several Continue Reading SEC pushes for disclosure of hacking incidents

New mandated cybersecurity disclosure requirements appear to be imminent. Cybersecurity has become a critical issue for most companies, and almost all companies today face cybersecurity risks due to the substantial increases in the volume of data and information stored online, the rise of multiple platforms for accessing data and the sophistication of criminal hackers. Cyber incidents such as a data breach or an intrusion into a company’s systems can have very negative and expensive results. These risks are considerably higher for any company that stores personal information or that operates in a regulated industry such as financial services or health care. Despite this significant increase in cybersecurity risks and the liabilities associated with such cyber incidents, however, public companies to date have had very little guidance regarding their disclosure obligations in this area.

The primary guidance that the SEC has issued on cybersecurity disclosure to date has been the 2011 CF Disclosure Guidance:  Topic No. 2 (Cybersecurity) (the “Release”) issued by the SEC’s Division of Corporation Finance on October 13, 2011. This Release was helpful in that it gave some indication of the Division of Corporation Finance’s positions on cybersecurity issues and cyber incidents. The Release provided overall guidance, however, and did not provide detailed information or instructions on cyber disclosure. Additionally, the Release did not contain official SEC rules or regulations. Accordingly, companies could use the Release for broad principles but were still left to develop disclosure information about cybersecurity and other similar matters based on their own evaluations of what should be disclosed.

Under the Release, some of the items that public companies are advised to address include:

  1. review the adequacy of their disclosure regarding cybersecurity and cyber incidents on a regular basis;
  2. disclose the risks of cyber incidents in “Risk Factors” if these items are significant risk factors that would make an investment in the company speculative or risky;
  3. disclose known or threatened cyber incidents;
  4. address cybersecurity risks and cyber incidents in the Company’s Management’s Discussion and Analysis if the costs or other consequences associated with such incidents are reasonably likely to have a material effect on the Company’s results of operations, liquidity or financial condition or would cause reported financial information to not be indicative of future operating results or financial condition;
  5. disclose a cyber incident in “Description of Business” if the cyber incident materially affected the company’s products, services, relationships with customers or suppliers or competitive conditions; Continue Reading Get ready for increased cybersecurity disclosure requirements

Risks of Cyber Attacks

If you are an executive for a public company, new SEC guidance requires you to consider cybersecurity in your ongoing periodic reports.  As evidenced by the barrage of news reports over the past couple of years, cyber incidents have become very significant events for all types of companies.  A recent example was the data breach of Sony Corporation’s Playstation Network.  These cyber incidents can cause companies to spend substantial amounts of money and time to attempt to reduce or correct the associated damage, including significant reputational damage.  All companies must make significant capital investments for systems and measures designed to prevent future cyber incidents or at least mitigate their harmful effects. Unfortunately, the number of cyber incidents will continue to increase, and the tactics used by hackers will become more sophisticated and harder to prevent and control.

Congress Gets Involved

Last year, a group of U.S. senators recognized that cybersecurity incidents and the associated costs were a major risk for many companies and that many public companies were not adequately disclosing these events. The Senators also recognized the growing risks of cybersecurity and cyber incidents, and that there was very little guidance for public companies on their disclosure responsibilities in connection with cybersecurity. These senators wrote a letter to SEC Chairman Shapiro asking for some interpretative guidance on how to address disclosure of cybersecurity and cyber incidents and the associated risks and economic effects.

SEC Sets Expectations

In response to the Senate inquiry, the SEC recently issued CF Disclosure Guidance:  Topic No. 2 (the “Disclosure Guidance”), which set forth the SEC’s expectations of public company cybersecurity disclosure. Public companies of all sizes and industries should Continue Reading New Cybersecurity Disclosure Obligations for SEC Filings