Statement in Support of a Multi-Pronged Approach to Cybersecurity
March 9, 2022
As I noted a few weeks ago, cybersecurity is one of the biggest challenges facing market participants today [1]. Chief executive officers have identified cybersecurity as the number one threat to business growth in the coming years. [2] Experts have provided Congressional testimony that cyber threats are among the most significant strategic risks to our national security, economic prosperity, and public health and safety. [3] President Biden signed a National Security Memorandum acknowledging that the recent cyberattacks on Colonial Pipeline and JBS Foods demonstrate “significant cyber vulnerabilities” across our critical infrastructure. [4]
Further, the sophistication and frequency of cyberattacks have increased. And that increase has imposed corresponding economic harms and increased expenses on companies, and their investors. In the most high-profile examples, we have seen outright halts in production and multi-million dollar ransom payments. [5] Costs also include, among other things, loss of intellectual property, reputational damage, remediation expenses, and harms to individual privacy. [6]
The Commission has taken steps to address cybersecurity concerns in the past. In 2018, the Commission issued guidance regarding cybersecurity related disclosure obligations, and also noted that cybersecurity risks and incidents may be material nonpublic information that issuers should contemplate in their codes of ethics and insider trading policies. [7] Despite this prior action, disclosures relating to cyber-security incidents are inconsistent in level of detail, time of disclosure, and placement. [8] In other words, the “who, what, when, and where” is often inconsistent and unreliable.
Today’s proposal is an important step forward in addressing this growing and ever-present risk. The proposal includes an 8-K filing requirement for any material cyber-intrusion, continuing periodic reporting on previously disclosed incidents, and disclosure of related policies and procedures. I look forward to the comment file and working with the public and the staff to finalize this important rule.
Thank you to the staff in the Division of Corporation Finance, the Office of the General Counsel, the Division of Economic and Risk Analysis, and the Chair’s office for their diligent and effective work on this proposal.
[1] See Commissioner Caroline Crenshaw, Statement on Cybersecurity Risk Management Proposal for Investment Advisers, Registered Investment Companies, and Business Development Companies (Feb. 9, 2022).
[2]See Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure, Release No. [] at 9 [hereinafter Proposal].
[3] Proposal at n.14 citing Testimony of Robert Kolasky, Director, National Risk Management Center, Cybersecurity and Infrastructure Security Agency (CISA), Securing U.S. Surface Transportation from Cyber Attacks, U.S. House of Representatives, Committee on Homeland Security (Feb. 26, 2019).
[4]“Currently, federal cybersecurity regulation in the United States is sectoral. We have a patchwork of sector-specific statutes that have been adopted piecemeal, as data security threats in particular sectors have gained public attention. Given the evolving threat we face today, we must consider new approaches, both voluntary and mandatory. We look to responsible critical infrastructure owners and operators to follow voluntary guidance as well as mandatory requirements in order to ensure that the critical services the American people rely on are protected from cyber threats.” White House, Fact Sheet: Biden Administration Announces Further Actions to Protect U.S. Critical Infrastructure (July 28, 2021).
[5] See, e.g., Jacob Bunge, JBS Paid $11 Million to Resolve Ransomware Attack, Wall St. J. (June 9, 2021).
[6]See, e.g., Proposal at 10-11; White House, Fact Sheet: Ongoing Public U.S. Efforts to Counter Ransomware (Oct. 13, 2021) (Ransomware payments reached over $400 million globally in 2020, and topped $81 million in the first quarter of 2021).
[7]See Commission Statement and Guidance on Public Company Cybersecurity Disclosures, Release No. 33-10459 (Feb. 26, 2018).
[8]See Proposal at 17-18. See also Commissioner Robert J. Jackson Jr., Statement on Commission Statement and Guidance on Public Company Cybersecurity Disclosures (Feb. 21, 2018) (citing White House Council of Economic Advisers to oppose the 2018 statement and guidance given the presence of externalities that would lead firms to rationally underinvest in cybersecurity, underreporting of events, lack of clear instructions on how much information to disclose).