Mar. 21, 2022
Public Comment to the SEC Regarding RIN 3235-AM89 (17 CFR Parts 229, 232, 239, 240, and 249) Electronic Comments File Number S7-09-22 (for Vanessa A. Countryman) Proposed Rule on “Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure” Rule-Making Objectives in a Rapidly Evolving Area: While all of the proposed measures appearing in the above-referenced rules are advisable -- and as someone who has worked in the information security and privacy field for 40+ years, I’m sure they will make a contribution -- I am nonetheless concerned about the trajectory of the SEC’s rule making process. To add progressively more and more specific rules, puts the SEC in the position of the detailed rule-maker of the specific information security and privacy control measures that must be used at public companies. This has not been the traditional role of the SEC, nor do I believe that the agency currently has the resources to support this role on an on-going basis. Furthermore, this puts the SEC in the position of being in competition with other organizations that do specifically define such control measures. This definition of the specific requirements for control measures is best left to organizations already doing such work, such as the Cloud Security Alliance (CSA), the Information Systems Audit and Control Association (ISACA), and the National Institute for Standards and Technology (NIST). Instead, I suggest that the SEC could get considerably more leverage, and make a much greater difference with investors, the public at large, and the companies it supervises, if it were to change the corporate decision-making incentive systems that apply to information security and privacy. Furthermore, information security and privacy control measures change very rapidly, and if the SEC continues down this path of increasing specificity in the information security and privacy control measures that it requires of publicly listed companies, it will be obligated to keep abreast of these rapid-fire changes in the field, and then it must attempt to get the very-slow SEC rule-making process to keep up with these rapid-fire changes in the field. For a more detailed discussion about why this increasingly specific rule-making approach is not advisable, and is in fact in conflict with the approach taken by a variety of other organizations, I refer the reader to an article that I co-authored entitled: “A Simple Appeal to Common Sense: Why the Current Legal & Regulatory Regime for Information Security & Privacy Doesn’t Work, and Cannot Be Made to Work” (appearing in the December 2017 issue of ISSA Journal). Achieving More Leverage by Changing Incentive Systems: The SEC has made a tremendous difference with two general decision-making related rules it has issued: (1) those pertaining to third party financial auditor opinions about financial statements, and (2) those pertaining to top management sign-off on the internal controls used to prepare financial statements. These rules are, of course, a direct result of the Securities Act of 1933, the Securities Exchange Act of 1934, and the Sarbanes-Oxley Act of 2002. These two areas of general rulemaking have placed top management at publicly listed companies in a position where they must clear a major action hurdle (specifically obtain an independent audit opinion, and sign-off on the internal controls) in order to be able to issue financial statements, as is required for continued listing of their company’s stock on public exchanges. These two areas of general rulemaking have changed the ways that top management at public companies make decisions about, design, document, audit, and report about control measures, and the net result has been a tremendous increase in accounting system transparency, publicly released data integrity, and the related reduction in fraud. These two general rules have changed corporate incentive systems for publicly listed companies, and something comparable should be done in the area of information security and privacy, to properly incentivize top management (and the board too) to pay sufficient attention to, and devote adequate resources to, information security and privacy matters. For example, the SEC could require that all publicly listed companies, annually obtain the professional opinion of an independent attorney, expressing his/her opinion about whether the directors and officers have been performing their existing fiduciary duties in a manner that meets the minimum requirements defined by laws and regulations in the information security and privacy area. The related required control measures have already been defined by laws and regulations such as the Health Insurance Portability and Accountability Act of 1996 (HIPAA), court decisions such as In re Caremark Int’l Deriv. Litig, 698 A.2d 959 (Del. Ch. 1996), and agency regulations such as the Federal Trade Commission’s Red Flags Rule (for identity theft). While of course the relevant information security and privacy requirements, to which the directors and officers must comply, will vary by industry and jurisdiction (such as according to state law), the set of requirements to which the directors and officers can now be held to account can readily be defined and audited against for every publicly listed company. For the SEC to adopt a rule which changes decision-making incentive systems in the domain of information security and privacy, the way it did with the requirement for all annual reports to be audited by an independent financial audit, that would make a very big contribution, and it would also free the SEC of the need to keep defining/updating specific control measure rules year-after-year as this field continues to evolve rapidly (as discussed above). For considerably more information about changing incentive systems in this area, I refer the reader to a law review article I wrote entitled “Solving the Information Security & Privacy Crisis by Expanding the Scope of Top Management Personal Liability” (appearing in the December 2016 issue of the Journal of Legislation). Charles Cresson Wood, Esq. (CA), JD, MBA, MSE, CISSP, CISM, CISA, CGEIT, CIPP/US, management consultant and compliance auditor, InfoSecurity Infrastructure, Inc., based in Lakebay, Washington, and author of the recent book entitled “Corporate Directors’ & Officers’ Legal Duties for Information Security and Privacy: A Turn-Key Compliance Audit Process.”