Learn more about this event by clicking the image above.
Is there going to be more guidance from the SEC in this area in 2019?
Well, it’s hard to say. It would depend on [SEC director of the division of corporate finance] Bill Hinman and his colleagues in corporate finance think. My own personal view is that the disclosure rules we have at the moment are inadequate when it comes to cybersecurity. Let me say a little bit about why that’s true. In the speech I gave last year, I said that cyber should be the highest regulatory priority for anybody in the government period, but in financial regulation in particular. This is a 24-hour day, seven-day a week war being waged against American companies. Frankly, our way of life, our privacy, our freedoms are all at stake here. I think leading disclosure of a cyber incident to our 8K rule without any special treatment in our 8K rules makes no sense at all. In fact, I get that sense not just from my own judgements about what the 8K rules should do, but from my conversations with boardrooms and members of boards of directors, who tell me that when they find out about a cyber incident and they ask the question whether or not to disclose it, they don’t know. Their lawyers can’t tell them because they are difficult questions.
In reality, there are difficult questions of what is known and what is not known, whether disclosures might get hackers a roadmap. In general, I have found that boards of directors really just want to do the right thing and I think it’s time for the SEC to tell people what that is.
People might say to me that 8K rules can do the job here. Those rules haven’t been touched or even closely looked at for nearly two decades in a world where companies are under attack every hour, every day. I think we should have an 8k item requiring prompt disclosure in this area. And let me say one more thing about that. The reason I think that’s true is that there’s all privacy and another laws on the book that requires companies to disclose that a breach has occurred. All we’re doing by not requiring a federal disclosure, it’s allowing some investors to know it and are there investors who won’t know it. I think I’ve been the SEC’s most forceful voice for clearer disclosure rules in this area.
Why is it important for boards to stand in front of this issue?
There are three reasons why this has become a board level issue. First, news of a data breach has such wide consequences for the company stock price, for its customer base, its supplier base. It effects so much of everything the company does and the way they touch the American public, that it’s not optional any more for boards not to be engaged in the subject. The market has insisted they stand in front. The market for customer service, for suppliers, stock price. All these markets have just pushed boards to a place where the market demands senior level of responsibility for this.
Second, it’s such an urgent and difficult issue. We’re asking American companies to defend themselves from foreign funding, state attacks. Now we’ve got great people into government who are helping. But this is a little bit like asking Walmart to put a military post outside each store. It’s a great deal we’re asking American companies and the mission is critical. So it’s all hands on deck. This is not an issue that most boards feel comfortable leaving up to the CEO or COO because they just feel they have to be involved.
Third, I think it’s an area that’s changing so fast. If I’m having the director asked hard questions or having somebody with an outside perspective coming the table, it really helps improve the conversation. It’s an area where nobody has all the answers. Having a lot of perspectives at the table is very helpful and that’s where boards can be useful.
