Commissioner Jackson identifies legal risks in failure to disclose cyber breaches

The Securities and Exchange Commission’s (SEC) Commissioner Robert Jackson said recently that even when companies avoid disclosing attacks on their computer systems in an SEC filing, alert investors still have ways of learning about the breaches and punishing the stock.

“There is significant evidence that events like these matter to the market,” Jackson said according to the transcript of a speech he delivered on March 15, 2018, in New Orleans. He added that public companies have not consistently been making timely disclosures about attacks on their computer systems. Despite the lack of reporting to the SEC about the attacks, companies are often subject to other legal mandates, often at the state level, that require notification to consumers when their data has been exposed.

Jackson was speaking a few weeks after the SEC published Release No. 33-10459, Commission Statement and Guidance on Public Company Cybersecurity Disclosures, which updated the agency’s 2011 guidelines from Disclosure Guidance: Topic No. 2, Cybersecurity. Because the updated guidance was so recent, there was no way for Jackson to definitively say how the update affected company behavior. But in his view companies may be well advised to err on the side of more disclosure rather than less.

Failing to release an 8-K filing to the market in a timely fashion puts a company on the defensive in protecting its reputation. It may also give shareholder plaintiffs an excuse to file complaints if there’s a drop in the share price.

“The board and management are forced to spend time scrambling rather than pursuing a viable long-term strategy for cyber defense,” Jackson said. “In the meantime, a few sophisticated and speedy traders may benefit from informed trading, while average American investors suffer. None of this reflects a productive investment of precious resources—and it's not nearly good enough to meet the rising cyber threat we face.”

Jackson said he has been pushing inside the SEC for tightening the rules around disclosures of cyber breaches, although the prospect of a new rule being adopted in the current regulatory environment seems unlikely.

Still, Jackson believes there is a good deal of urgency for the SEC to take action.

He also urged public company directors to become more aggressive in limiting managers’ ability to trade when a company that has suffered an attack has not yet reported the attack back to the markets.

Jackson also said directors and executives needed to be more alert to the risks from hackers who have a financial motivation to profit by short-selling the shares in a company that has been the victim of a computer attack.

“We cannot allow our securities markets to be a source of profit for hackers who use technology to harm the companies that are crucial to the growth of our economy,” Jackson said.

Jackson also said that he hoped companies would use Release No. 33-10459 to develop stricter policies for the internal controls for cybersecurity. In his view, some techniques developed following the enactment of the Sarbanes-Oxley Act of 2002 and used for financial reporting systems can be adapted to cybersecurity.

“This may well be the area that will demand the most attention from all of you over the coming months,” he said.

For more information on this topic, or to learn how Baker Tilly SEC accounting specialists can help, contact our team.

We have partnered with Thomson Reuters to issue our monthly SEC accounting insights. Please feel free to contact Baker Tilly at if you have any questions related to these articles or Baker Tilly's Accounting and Assurance Services. © 2018 Thomson Reuters/Tax & Accounting. All Rights Reserved.