In an age of increased on line threats to business, cyber security is the number one issue boards must get a handle on right now, SEC Commissioner Robert Jackson Jr. said Thursday, especially when it comes to public company disclosure rules that don’t go nearly far enough to protect shareholders.
In a wide-ranging speech to the annual meeting of the Society for Corporate Governance in Washington, Jackson hit on a number of issues—from dual-class shares (he called for sunset provisions), more disclosure around share sales by management following stock buybacks (“The message to the world is the stock is cheap,” he said. “So why is management selling?”) and the outsized influence of proxy advisory firms (“empirically less influential than you think.”)
But it was on the issue of cyber security, especially disclosure, that Jackson focused most of his attention. He called for a new look at rules created and promulgated fifteen years ago with the passage of Sarbanes Oxley, and said they were simply growing outdated in the current era of cyber attacks that could impact millions of customers—and flatten a company’s stock price within minutes.
“It was a different world,” he said.
Under current SEC rules, a company has four days from the time it uncovers what could be a potentially material problem for the company until it needs to disclose the issue by filing an 8K. That, he said, was simply too long to make sense for investors because of the potential for insider trading by management, and also because many states—including New York—require immediate disclosure of any notable cyber breach to authorities, creating an uneven distribution of potentially market-moving information.
Beyond the speed of the release, there was also the question of why some companies weren’t disclosing news breaches at all to investors. In a study he’d done a few years ago, he looked at 82 companies with cyber breaches and found only four filed an 8K disclosing the problem to investors. “Just four?” he said. “Really?”
Asked about other issues surrounding the use—and potential misuse—of data by companies, such as was the case with Facebook earlier this year, Jackson said the fact that a company as technologically sophisticated as Facebook was struggling with how to get it right was telling.
“Even some of the most sophisticated companies are struggling with this issue,” he said. That “just shows you how difficult this is.”
“If Facebook is having this problem, what about less sophisticated companies?”