The cybersecurity disclosure guidance from the Department of Securities and Exchange Commission (SEC) last year simply wasn’t enough, says Robert J. Jackson Jr., SEC commissioner.
“I expressed some hesitation, some misgivings that it would not do enough to get board members the guidance they needed to make hard decisions about disclosure of cyber incidents,” Jackson tells Corporate Board Member in an exclusive interview. He went as far as to say that disclosure rules are inadequate when it comes to cybersecurity.
Jackson will be shedding more light on why he’s convinced the SEC—and government in general— needs to do more around cybersecurity at the Cyber Risk Forum, held in partnership with the RSA Conference, in San Francisco on March 4th. Jackson will be keynoting the event, talking to board members and CEOs about how their companies should be thinking about the future of cybersecurity.
In advance of the event, CBM spoke with Jackson to talk about whether or not the SEC plans on issuing future guidance around cybersecurity disclosure, why boards should stand in front of this issue and more. Below are excerpts from this conversation.
What are some of the recent updates from the SEC on cybersecurity that boards should really know about?
We took the unusual step of issuing commission level guidance with respect to our expectations for public companies and their procedures and disclosures regarding cyber risk. I joined that guidance. The guidance was unanimous by the five-member commission. I expressed some hesitation, some misgivings that the guidance would not do enough to get board members the guidance they needed to make hard decisions about disclosure of cyber incidents. In that guidance, we specified several important points, but three are worth noting. First, the need for timely disclosure of cyber events. Second, the requirements for internal controls and procedures regarding communication inside the company about cyber risks. And then third, controls about trading by insiders in connection with cyber risk. I would say that we are monitoring the success of that guidance very closely.
I’m concerned that we haven’t seen enough change in this area over the last year. First, I would tell boards to have a close look at the guidance, and get advice from council about whether or not they’re up to snuff. They should also be aware that this might not be the last word from the SEC on the subject.
Second, I think folks are taking a close look at our enforcement work. I think our enforcement team has done an incredible job bringing a number of cases over the last 12 months in the cyberspace. Many of those are public that are already known about. The message to boards and public companies is that SEC is prioritizing cyber incidents as a matter of enforcement. If you have a problem, you should expect to hear from law enforcement folks about it. Under this administration, I think enforcement has taken some important steps to make clear to companies that when they do the right thing, when they come to us and explain that they had an incident and describe it, and talk about the steps they did or did not take…that we’re not going to blame the messenger. We’re going to work with companies to get the right resolution for investors.
Third, it’s important to keep an eye on what’s going on at Capitol Hill in this area, because I can tell you that a number of members of Congress on a bipartisan basis have expressed concern that the corporate governance controls that we have in this area are simply not enough to make sure that investors are protected when it comes to the cyber risk space.
There have been a number of proposals that worth taking a look at. One is a requirement that public company boards have cyber expertise in the boardroom. Another is a more formal statutory requirement with respect to internal controls. Whatever one thinks of a pending legislation, I always encouraged boards to ask themselves, “Do we need cyber expertise in this room? Do we have cyber expertise in this boardroom?” This should be on the board questionnaire that goes out every year when you’re thinking about board refreshment.