Nearly every day reports surface of a data breach at a company where hackers stole customer credit card details or other sensitive personal data, or such information was mistakenly leaked to the public.
Sometimes the breach has just happened and sometimes the problem occurred months ago or longer and is just now coming to light.
Given the frequency of such breaches—whether perpetrated by outside hackers or internal malcontents—the Securities and Exchange Commission is considering what steps to take to ensure that investors aren't kept in the dark. Should there be expanded disclosure requirements?
During a daylong roundtable last week, hosted by the SEC, a cross-section of executives, advisers, and regulators considered the pros and cons of greater cyber-security disclosure.
“Has the Commission given issuers enough guidance? Do we need some type of minimum standards? Is that even possible given the breadth of the public companies we are overseeing?” asked SEC Commissioner Kara M. Stein. “Is there a way for us to be as dynamic in our requirements as the landscape and the threats are?”
The SEC first issued cyber-security disclosure guidance in 2011 that tells companies to disclose the risks they face, explain how a security breach will affect financial performance, and discuss the adequacy of internal controls and procedures. The guidance, however, hasn't been updated since, even though the frequency and size of data breaches has continued to grow.
The Materiality Threshold
Also, companies are forced to make judgment calls regarding what may be material to investors versus what is unnecessarily damaging to their brand or could invite other attacks. The threshold is problematic, several roundtable participants said, since stock prices are rarely affected by the revelation of a breach.
“From a materiality and securities law point-of-view, you could make an argument from the stock movement perspective that none of those breaches were material,” says Douglas Meal, a partner with the law firm Ropes & Gray. “Even TJX, which suffered one of the biggest breaches in history, didn't see its stock price move after the announcement.”
Another problem is that companies don't always know when a breach has occurred and they can also have national security implications as well. For example, Leslie Thornton, vice president and general counsel for energy company Washington Gas, said a breach could come to light when FBI agents show up at your company with news your critical infrastructure has been penetrated by a terrorist or rogue government.
“You would think the federal government coming up to your office and scaring you in the middle of the night would be material, but the considerations on that kind of cyber-risk or event are different,” Thornton said. “You wouldn't necessarily disclose a nation state actor trying to do harm, particularly if, in that situation, you don't have customer or employee data that has been compromised. You have a much more discreet issue.”
In such situations secrecy may be warranted. While the SEC may expect disclosure, other government agencies will demand ongoing secrecy until they complete their investigation.
No good deed goes unpunished, is the lesson learned by many companies that tried post-breach transparency, Meal said. “They were rewarded with all kinds of litigation and regulatory investigations at an enormous expense and burden,” he says. Conversely, companies that concluded, on materiality grounds, not to disclose breaches typically suffer few, if any, consequences.
Little Support for New Disclosure
Many of the company representatives and data security advisers at the roundtable did not support new rules on disclosing new information about cyber-security and data breaches. “Don't impose rigid rules,” warned David Tittsworth, executive director of the Investment Adviser Association. He hopes, however, that the SEC would elaborate on its expectations for best practices.
Roberta Karmel, a professor at Brooklyn Law School and a former SEC commissioner, also called on the SEC to resist the urge to require more disclosure. “I have a resistance to the idea that when something becomes a matter of public policy the SEC should always be tasked with doing something about it,” she said, citing the example of environmental issues incorporated into the disclosure regime. “Doing that just adds to the prolixity and length of disclosure documents without being really that helpful to investors.”
“You would think the federal government coming up to your office and scaring you in the middle of the night would be material, but the considerations on that kind of cyber-risk or event are different.”
—Leslie Thornton,
General Counsel,
Washington Gas Light Co.
Karmel added that new disclosures would run counter to the possible SEC goal of slimming down bloated reporting requirements. “At a time when the SEC is hopefully going to look at disclosure policy and try and simplify it, I don't think the Commission should be going overboard in another direction and putting in new regulatory requirements for cyber-security disclosures,” she said.
Cyber-Risk Committee?
Attendees at the roundtable also considered the board's role in combating cyber-attacks and informing the public of data breaches. When SEC Chairman Mary Jo White asked whether boards of directors should establish a cyber-risk committee, responses were mixed. “Boards should be asking harder questions,” Thornton said. “But do they have enough expertise to deal with these kinds of questions?”
Research shows that there has been a marked increase in the level of involvement at the board level, says David Burg, cyber-security leader for audit and advisory firm PwC. “The strategic implications are very important,” he says. “Board members realize it is important to think about cyber- and enterprise-risk management as one and the same.”
Karmel feared, however, that the SEC might codify that involvement through rulemaking. “I don't think the board should be running the company as opposed to overseeing the management,” she said. “A very large, international financial institution, might want someone on the board who has that kind of cyber-security expertise. But I'm not sure all other companies would feel that same sense of urgency.”
“A board of directors is supposed to be composed of people who are generalists to some extent,” she added. “To have a special cyber-security committee as opposed to responsibility by the audit committee or the risk-management committee for cyber-security matters, well, I would have to see that become a requirement. It is something that should be determined from company to company?”
CYBER-SECURITY & THE INTERNAL AUDIT
The Center for Audit Quality, a public policy group that advocates performance standards for public company auditors, recently issued a member alert to summarize the responsibilities of independent external auditors with respect to cyber-security matters. A selection from the advisory follows:
Auditing standards require the auditor to obtain an understanding of how the company uses IT and the impact of IT on the financial statements. Auditors are also required to obtain an understanding of the extent of the company's automated controls as those controls relate to financial reporting, including the IT general controls that are important to the effective operation of automated controls, and the reliability of data and reports used in the audit that were produced by the company.
The auditor's understanding of the IT systems and controls should be taken into account in assessing the risks of material misstatement to the financial statements, including IT risks resulting from unauthorized access. Systems and data in scope for most audits usually are a subset of the totality of systems and data used by companies to support their overall business operations, and the audit's focus is on access and changes to systems and data that could impact the financial statements and the effectiveness of impact on internal control over financial reporting (ICFR). In contrast, a company's overall IT platform includes systems (and related data) that address the operational, compliance and financial reporting needs of the entire organization.
If information about a material breach is identified, the auditor would need to consider the impact on financial reporting, including disclosures, and the impact on ICFR. The auditor's primary focus is on the controls and systems that are in the closest proximity to the application data of interest to the audit—that is, Enterprise Resource Planning (ERP) systems, single purpose applications like a fixed asset system or any set of connected systems that house financial statement related data.
Under current guidance, a company may determine it is necessary to disclose cyber-security risks in various places throughout its Form 10-K (e.g., risk factors, MD&A, legal proceedings, business description, and financial statements). The auditor's responsibilities depend on where the disclosure is included in the 10-K. The auditor performs procedures to assess whether the financial statements taken as a whole, are presented fairly, in all material respects. If the auditor concludes that there is a material inconsistency, he should determine whether the financial statements, his report, or both require revision.
Source: Center for Audit Quality.
Thornton, however, said her company sought out a new director with a technology and security background. The expertise of that board member, a 30-year veteran of defense company Lockheed Martin, has been invaluable, she said.
Barring a specialized body, the audit committee is the logical place for a board to consider cyber-risk, said Peter Beshar, executive vice president and general counsel for Marsh & McLennan, a risk management and insurance brokerage firm.
“They have a very full plate, but the audit committee is probably a good place for regular discussions about security and what the company is doing in terms of preparedness and resilience,” he said.
Some of the attendees said companies already have the mechanisms in place to consider cyber-security risks, even if they are not yet doing an adequate job of it. “Most companies have an enterprise risk management framework and there is regular reporting on top risks to the full board of directors,” Beshar said. “That is another measure to ensure that cyber-security is regularly addressed.
“There is no right or wrong place for board involvement, so long as it happens,” agreed Jonas Kron, senior vice president and director of shareholder advocacy for Trillium Asset Management. “Some companies have technology and e-commerce committees, or public policy and regulatory committees. It is not necessarily important to say which one it belongs in, but let's be clear about where it is and what the responsibilities are, so that the market can make a decision.”
As SEC commissioners mull what, if anything, to ask for cyber-security disclosures or board responsibilities, they may soon get some much-needed advice. “There is no doubt that the SEC must play a role in this area,” SEC Commissioner Luis Aguilar said. “What is less clear is what that role should be."
He proposed the creation of a cyber-security task force, composed of representatives from each SEC division who will meet regularly to discuss evolving issues and advise the Commission on its future demands and disclosure requirements.
No comments yet