Enforcement division eyes cybersecurity disclosures

The SEC’s enforcement arm has yet to bring a case against a public company over cybersecurity disclosures, but that may change, according to Enforcement Division Co-Director Stephanie Avakian.

In Oct. 26, 2017, remarks in Washington, Avakian laid out the vision for the division’s new unit aimed at countering growing cybersecurity-related threats and misconduct.

The market regulator announced the Cyber Unit in late September, following revelations of a 2016 hack of the SEC’s Electronic Data Gathering, Analysis, and Retrieval (EDGAR) system in which personal information for two individuals was compromised. The move also comes on the heels of the breach of Equifax Inc., in which hackers stole information for more than 143 million customers of the credit reporting agency. Both incidents have sparked renewed interest in cyber preparedness, both at the commission and among its regulated companies. Both incidents have led critics to question why the hacks were not disclosed more promptly.

Avakian, in her speech, called public company cybersecurity disclosures an “area of potential enforcement interest.”

“In an era where nearly every company is dependent on computer systems to operate their business, it is frequently necessary to provide meaningful and timely disclosures regarding cyber risks and incidents,” she said. “These disclosures are often material on their own or necessary in order to make other disclosures, in light of the circumstances under which they are made, not misleading.”

Avakian acknowledged that cyber disclosure is a “complex area subject to significant judgment,” and said the SEC is “not looking to second-guess reasonable, good faith disclosure decisions.”

“Though we can certainly envision a case where enforcement action would be appropriate,” she said.

Public companies are still relying on the SEC’s 2011 guidance in Disclosure Guidance: Topic No. 2 to understand their obligations for disclosing hacks and other cyber issues. SEC Chair Jay Clayton, in a September statement, argued that guidance “remains relevant today,” despite calls to update it.

In response to a question on the Equifax breach during a confirmation hearing earlier this month, Democratic SEC nominee Robert Jackson told the Senate Banking Committee he feared the commission’s rules and guidance on materiality have not kept pace with the changing market. Hester Peirce, the Republican nominee to the commission, said companies should be held accountable for disclosure omissions.

The SEC’s heightened attention to cybersecurity is part of a global reform effort. In a report this month, the Financial Stability Board (FSB) said that roughly 75 percent of the jurisdictions that belong to the board plan to issue guidance, regulations or supervisory practices addressing financial sector cybersecurity within the next year. The jurisdictions include the U.S., the E.U., and Russia.

Those plans include self-assessment exercises, the development of industry standards for information technology risk, and the creation of a “computer emergency response team” focused on the financial sector, according to the report.

For more information on this topic, or to learn how Baker Tilly SEC accounting specialists can help, contact our team.

We have partnered with Thomson Reuters to issue our monthly SEC accounting insights. Please feel free to contact Baker Tilly at accounting@bakertilly.com if you have any questions related to these articles or Baker Tilly's Accounting and Assurance Services. © 2017 Thomson Reuters/Tax & Accounting. All Rights Reserved.