In February 2018, the SEC voted unanimously to approve a statement and interpretive guidance to assist public companies in preparing disclosures about cybersecurity risks and incidents. Shortly thereafter, the SEC brought charges against Yahoo for failure to report data breaches in 2015-2016 periodic reports, and in recent months, the SEC has continued to signal their increased focus on this critical disclosure issue.
Most recently, the SEC settled charges against Voya Financial Advisors after hackers called their support line posing as clients and gleaned confidential information of 5,600 customers. The SEC determined this breach directly violated the Safeguards Rule and the Identity Theft Red Flags Rule, which is designed to protect confidential customer information and protect customers from the risk of identity theft.
This was the SEC’s first enforcement action charging violations under the Identity Theft Red Flags Rule. In light of the SEC guidance, companies can’t use boilerplate cybersecurity risk factors, policies and procedures in their reporting. Companies need to be specific and reflect accurate internal measures that will be followed in the event of a hack, which was reflected in the action against Equifax. The New York Times reports that the SEC’s first-ever use of its red flags rule “should set off alarm bells for every financial firm and board of directors under the agency’s watch. Most companies are probably not in compliance with the rule and, given the agency’s increased focus on cybersecurity, they should move quickly to address any issues.”
The Voya settlement shows the SEC is paying close attention not only to an organization’s data security compliance measures, including formal written data security policies and procedures – and whether they are kept current and work in practice – but the need to address cyber risk at the board and C-Suite level when required. The expectation for companies to have some expertise about cybersecurity issues among their Board of Directors, prompted the Senate to introduce Bill S.536 last year “Cybersecurity Disclosure Act of 2017.” Under this bill, public companies would be required to disclose cyber knowledge within their Board. With the SEC’s regulatory expectations so clear, the price of ignoring this message will likely be steep.
Kara Stein, SEC Commissioner, is urging the SEC to require even more specific cybersecurity rules, but also pushing boards to be more diligent about their fiduciary responsibility to shareholders. In a recent speech, Stein said, “Commission rules require public companies to disclose whether boards of directors have at least one financial expert on their audit committees. Likewise, boards should consider whether they have an independent member with expert knowledge of technology and cybersecurity. If not, Boards should retain independent experts to provide it with advice.”