Skip to main content

Cybersecurity and Small and Emerging Companies

Commissioner Luis A. Aguilar

U.S. Securities and Exchange Commission*

Sept. 23, 2015

Thank you and good morning. I want to start by welcoming the members of the Advisory Committee on Small and Emerging Companies to today’s meeting. As you know, this is the final meeting of the current term of this Committee, and I would like to extend my appreciation to each of you for your service to this Committee, the Commission, and the greater public good. I appreciate your efforts and look forward to today’s discussions. I would also like to thank the staff of the Division of Corporation Finance’s Office of Small Business Policy for organizing this meeting and for their work on renewing the Committee’s charter for an additional two years. This Committee performs an important service to America’s small business community and I look forward to its continued good efforts.

I note that one of the topics on today’s agenda is the Committee’s recommendation regarding expanding simplified disclosure for smaller issuers. As you know, the SEC has long recognized the significance of small businesses, and has promulgated a number of regulations focused on smaller companies.[1] These regulations include providing scaled disclosure and reporting requirements for small business issuers, which were amended in 2007 to provide for simplified disclosure and reporting to an expanded group of so-called “smaller reporting companies.”[2]

As you consider future recommendations to the regulatory environment for small and mid-sized/emerging companies, I urge you to keep in mind the dual goals of a strong capital market environment for these companies and the needs of their investors. I think we can all agree that any discussion of how to optimize the ways smaller issuers can raise capital has to be accompanied by a robust discussion of how to optimize the protection of investors. Neither goal is exclusive of the other, and I am confident that this Committee is well-positioned to consider how best to enable businesses to raise capital in a cost effective way while also, importantly, providing for ways to protect investors and the markets generally. I look forward to hearing your thoughts as to how best to accomplish these important goals.

I also want to briefly discuss a topic that is not on today’s agenda, but I hope it will be considered for a future meeting of this re-constituted Advisory Committee: and that is the increasing threat to small and emerging companies of cyber-attacks. While cybersecurity is not traditionally an issue that encompasses the Commission’s regulatory focus on small businesses—other than those businesses that it regulates as broker-dealers, investment advisers, and such—it is increasingly on the minds of all investors.

As news headlines constantly make clear, massive data breaches have become commonplace.[3] Cybersecurity is clearly a concern that the entire business community shares, but it represents an especially malicious threat to smaller businesses. The reason is simple: small and midsize businesses[4] are not just targets of cybercrime, they are its principal target. In fact, the majority of all targeted cyber-attacks last year were directed at small and midsize businesses.[5] The most predominant reason for this is also the most obvious: smaller companies pose easier targets than larger organizations, and must protect against such threats with far fewer resources.

Despite these threats, and the heightened vulnerability to which smaller businesses are subject, there is reason to believe that the small business sector may not be taking cybersecurity as seriously as it should. One recent survey of 400 small firms found that 27 percent of them have no cybersecurity protocols at all, and that a similar number of firms have difficulty implementing even the most rudimentary cyber defenses, such as routinely backing up their data.[6] This apathy is ill-advised, given the increasing sophistication and expertise of cybercriminals; instead, a proactive approach appears to be warranted.

These cyber-attacks are becoming more prevalent and their impact on small businesses and their investors can be devastating. This is a subject that I will cover in more detail in a forthcoming article in the Autumn 2015 edition of Cyber Security Review—and I would encourage this Committee to also give it attention.

I look forward to a vibrant discussion of all of your agenda topics. Thank you.

[*] The views I express today are my own, and do not necessarily reflect the views of the U.S. Securities and Exchange Commission (the “SEC” or “Commission”), my fellow Commissioners, or members of the staff.

[1] See, e.g., Amendments for Small and Additional Issues Exemptions under the Securities Act (Regulation A), Release No. 33-9741 (Mar. 25, 2015), available at; Crowdfunding, Release No. 33-9470 (Oct. 23, 2013), available at; and Eliminating the Prohibition Against General Solicitation and General Advertising in Rule 506 and Rule 144A Offerings, Release No. 33-9415 (July 10, 2013), available at

[2] See Smaller Reporting Company Regulatory Relief and Simplification, Release Nos. 33-8876 (Dec. 19, 2007), available at

[3] Ponemon Institute, LLC, 2015 Cost of Data Breach Study: Global Analysis, 1 (May 2015) (noting that “the average total cost of a data breach for the 350 companies participating in this research increased from 3.52 to $3.79 million,” representing a 23 percent increase), available at

[4] For purposes of this article, I define the term small and midsize businesses to include businesses with up to 2,500 employees.

[5] Symantec, Internet Security Threat Report, 6 (Apr. 2015) (noting that “[l]ast year, 60 percent of all targeted attacks struck small- and medium-sized organizations.”), available at

[6] Time Warner Cable Business Class, Security and New Technology Upgrades a Challenge for Small Business Owners According to Time Warner Cable Business Class Small Business Survey (May 2015), available at

Return to Top