SEC Chair Clayton's Opening Salvo: A Measured Approach to Enforcement of Public Company Disclosure of Cyber Risk and Cyber Incidents?

SEC Chair Jay Clayton's first public speech as SEC Chair on July 12, 2017 contained approximately 3,800 words.  However, it is a brief 128-word passage near the end of the speech that many might find the most interesting -- and perhaps relieving.  Speaking to directly to public companies (and therefore their boards, management, employees and shareholders), Chair Clayton reiterated the long-standing SEC policy that public companies must take seriously any obligation to disclose material cyber risks and cyber incidents.  However, in the same breath, he also set what could be a tempered tone on SEC enforcement against companies that have in place effective cyber controls and practices, and yet, are still the victim of a cyber incident.   

Specifically, Chair Clayton said "As a final comment on enforcement, I want to go back to cybersecurity. Public companies have a clear obligation to disclose material information about cyber risks and cyber events. I expect them to take this requirement seriously. I also recognize that the cyber space has many bad actors, including nation states that have resources far beyond anything a single company can muster. Being a victim of a cyber penetration is not, in itself, an excuse. But, I think we need to be cautious about punishing responsible companies who nevertheless are victims of sophisticated cyber penetrations. Said another way, the SEC needs to have a broad perspective and bring proportionality to this area that affects not only investors, companies, and our markets, but our national security and our future."   https://www.sec.gov/news/speech/remarks-economic-club-new-york#_ftn12

Chair Clayton's comments, albeit abbreviated, on bringing enforcement actions against public companies that are the victims of cyber-incidents are consistent with an opinion piece he co-authored in June 2015 for Knowledge@Wharton titled "We Don’t Need a Crisis to Act Unitedly Against Cyber Threats."  In that piece, Chair Clayton noted not only the significant threat posed by cyber-incidents, but also the logical flaw in holding victims of sophisticated attacks responsible for not preventing the attack.  Specifically, the piece noted:

• "Cyber-attack victims unfairly shoulder the blame. In the 'Alice-in-Wonderland' aftermath of cyber-attacks, the perpetrators are often beyond the law and the victimized enterprise stands trial. As “defendants,” they are convicted of knowing that they were attractive, inviting the assault and then failing to fend-off their attackers."
• "Cyber risk is now a systemic threat to national security, economic sustainability, safety, public confidence, and to the freedoms that constitute our way of life."
• "The occurrence of a large catastrophic and systemic attack is no longer a matter of 'if', only when and how costly — to life, property, reputations, the economy, and our overall sense of confidence and security." https://knowledge.wharton.upenn.edu/article/we-dont-need-a-crisis-to-act-unitedly-against-cyber-threats/

The above is consistent with my discussions with current and former U.S. Department of Justice cyber chiefs, who seem to recognize that the existence of a breach at a company does not necessarily equate to wrongdoing on the part of that company or its management/board.

As for my thoughts on what this means, for starters, it makes good sense for companies to periodically assess their cyber-risk, including risk assessments, to determine if any new or different cyber risks face the company.  Cyber crime develops at a breakneck pace and is constantly evolving in an attempt to stay one step ahead of detection.  Periodic cyber risk assessments will help companies stay abreast of their risk profile, while also demonstrating that they are a "responsible" company. 

As a corollary to a periodic risk assessment, public companies often consider active cyber risk monitoring program, including periodic audits to determine whether there exists any evidence of a latent cyber risk or cyber incident.  There are many different ways that this can be done, based on the risk profile of a particular company.  And, again, this will go a long way in helping to establish that the company is acting responsibly. 

If you have any questions about this piece or would like to hear more thoughts on this topic, I can be reached at (312) 861-8616, or by email at [email protected].