Following on the heels of the SEC’s updated interpretive guidance on cybersecurity disclosure, SEC Chairman Jay Clayton and SEC Commissioner Robert Jackson each recently made public statements underscoring the agency’s increasing focus on cybersecurity.
On March 12, 2018, Chairman Clayton stated that the SEC will closely monitor how corporations respond to the new interpretive guidance at a conference held by the Council of Institutional Investors. During an interview conducted by former Chairwoman Elisse Walter, Chairman Clayton said implementation of the interpretive guidance “will be a focal point for staff review” and that companies should work to determine their disclosure obligations under the current rules.[1] Reiterating the interpretive guidance’s statement that the SEC expects companies to make disclosures “tailored” to their particular cybersecurity risks and incidents, Chairman Clayton stated that companies must put significant effort into determining their individual disclosure obligations under the current rules, meaning that “[r]eally good lawyering and governance is necessary.”[2] Chairman Clayton also alluded to calls by certain SEC Commissioners for rulemaking requiring the disclosure of cybersecurity incidents in 8-K filings: “In terms of writing a rule, if you wanted to make it a specific 8-K requirement, the issue there is whether something is material,” said Chairman Clayton, adding “[i]t’s really a facts and circumstances situation, and it can vary from industry to industry and company to company.”[3]
A few days later, on March 15, 2018, Commissioner Jackson explicitly stated his view that greater disclosure requirements for cyber security breaches may be necessary, echoing Commissioner Stein’s statement on February 21, 2018. In Commissioner Jackson’s prepared speech at the Tulane Corporate Law Institute, he described the rising cyber threat as “the most pressing issue in corporate governance today.” [4] In addition to encouraging practitioners to lead the way in developing cyber-related best practices with respect to disclosure controls and procedures and insider trading prohibitions, Commissioner Jackson specifically called upon the audience to “urge upon the boards [they] counsel the pressing need for transparency” in disclosure regarding cyber threats.[5] Commissioner Jackson expressed his concern that corporations too often err on the side of non-disclosure of cybersecurity breaches, leaving investors “in the dark” about cyber risks. Stating that the Commission has “much more work to do in getting investors the information they need to understand cyber attacks,” Commissioner Jackson added that he had “called upon [his] colleagues in the SEC to give careful consideration to new 8-K requirements governing cyber events.”[6]
The recent remarks by Chairman Clayton and Commissioner Jackson are the latest in a series of statements by SEC officials emphasizing that cybersecurity is and will continue to be a priority area for the agency. Companies subject to disclosure requirements should carefully review and consider the SEC’s interpretive guidance and continue to monitor the possibility of further SEC action on the disclosure of cybersecurity risks and incidents.
[1] See “SEC Focused on Cyber Disclosure After New Guidance: Chair” (Law360, March 12, 2018) (“SEC Focused on Cyber Disclosure”) (quoting Chairman Clayton); http://www.pionline.com/article/20180313/ONLINE/180319978/sec-chairman-non-committal-on-dual-class-cybersecurity-fiduciary-rule-making.
[2] See SEC Focused on Cyber Disclosure.
[3] Id.
[4] See Securities and Exchange Commission, Corporate Governance: On the Front Lines of America’s Cyber War (March 15, 2018) at 1.
[5] Id. at 3.
[6] Id. at 3.