Speech

Corporate Governance: On the Front Lines of America's Cyber War

New Orleans, Louisiana

Thank you so much, David, for that kind introduction.[1] It's great to be here at the Tulane Corporate Law Institute for what, I know, is one of the most highly-anticipated corporate-law conferences of the year. It also doesn't hurt that it happens to be in New Orleans.[2]

Now, before I begin, let me just give the standard disclaimer: the views I express here are my own and do not reflect the views of the Commission, my fellow Commissioners, or the SEC's Staff. And let me add my own standard caveat: I hope someday to persuade my colleagues of the utter, absolute, and obvious correctness of my views.

Although it already seems like a lifetime ago, I was only recently sworn in as an SEC Commissioner in January. It's been a privilege to serve and an amazing experience so far—made all the more so by the incredibly talented and hardworking SEC Staff with whom I have the honor of working each day.

Since I was, in a previous life, a corporate lawyer at Wachtell Lipton, folks have asked me what it's like to be an SEC Commissioner—so let me share a bit about the glamorous existence of a Commissioner. Each day, my staff and I spend hours combing through thick binders of rules, guidance and enforcement actions that we review, redline and spot check for potential issues. In between meetings, it's not uncommon for us to spend time with other gripping page-turners—you know, like corporate proxy statements.  We're always speculating what the guy down the hall, who spent 20 years being one of the world's finest corporate lawyers, is thinking, and when he might send us more work. In short: being a Commissioner is a chance to relive the glamorous life I had as a first-year associate working for David Katz! Chairman Clayton tells me that there's little chance of a closing dinner anytime soon. But at least these days I have a nicer office.[3]

Still, I don't think I could possibly find more interesting, challenging, or fulfilling work. Nor a better group of colleagues to do it with. Nor a more important or pressing set of issues to deal with. It's an incredibly important time for our Nation, our economy, and the Commission, and I'm honored to be a part of our efforts to keep pace with our ever-changing markets.

That's why I wanted to focus today on what I think is the most pressing issue in corporate governance today: the rising cyber threat. As anyone who spends time in the boardroom knows, the digitization of our economy is revolutionizing the way business is conducted. From Wall Street's financial institutions to mom-and-pop retail stores, almost every company—in every sector of the economy—is on some level a technology company. And advances in computer processing, cloud computing, and smart devices are making it faster, cheaper, and easier for firms to leverage data to improve nearly every aspect of their business every day.

I am, by nature, optimistic about the technological transformation currently underway across corporate America. But I'm also realistic about the challenges we face. Hardly a day goes by that we don't hear about another threat, hack, attack, or major cyber event. The sources of all these bad acts are evolving—from rogue programmers to organized crime rings to state-sponsored actors. That's why I was so struck to read the Director of the Defense Intelligence Agency's recent statement before the Senate's Armed Services Committee. Director Ashley told Congress that our "top adversaries are developing and using cyberspace to . . . compromise[e] our national defense."[4] He's right: our companies, and our country, are under attack.

In 2016 alone, there were over 1,000 data breaches—a record high—costing American companies more than $100 billion, according to data gathered by the Identity Theft Resource Center.[5] With that much money, you could buy every single team in the National Football League—and still have $20 billion left over to build a stadium.[6] Last year, 20 million Social Security numbers were exposed in connection with cyber breaches.[7] That's the equivalent of having every person here in Louisiana have their Social Security number stolen—four times. And as your clients know well, the financial cost from the fallout once there is a breach—shareholder lawsuits, regulatory penalties, and reputational issues—will only continue to add up.

No issue in recent years has rocketed to the top of the corporate agenda faster. In 1975, 17% of S&P 500 firms' market value was tied to intangible assets; in 2015, that number was 87%.[8] One recent study showed that nearly two-thirds of executives identified cyber threats as a top-five risk to their company's future.[9] That shows how quickly this has become a board-level issue. When I was in practice over a decade ago, these issues weren't even on the radar screen of many corporate directors. Today there is no doubt for top corporate counsel: if you're not talking about cyber risk with your clients in the boardroom, you're making a mistake.

Indeed, across America companies are desperately seeking direction as they grapple to identify and follow best practices for cyber risk management. As many of you know, we at the SEC weighed in on this issue just last month, providing Commission-level guidance related to the disclosure of cyber incidents.[10] Although I reluctantly joined the guidance, I believe that we regulators can and must do more on this issue. More on that in a minute.

Right now, our most sophisticated companies are already taking concrete action to protect their businesses from those who would use technology to cause harm. Many are investing heavily in new defenses, personnel and protocols to improve their cyber risk management posture. They are trying to innovate their way to safety. But while these companies should be lauded for their efforts, I would suggest that we need a much more comprehensive response.

Yes, new rules and regulations can help push companies toward cyber resiliency. Yes, improved technological defenses will help mitigate the cyber threat. But these are tactical responses to a strategic problem. We need to think bigger. The cyber threat is not primarily a regulatory issue any more than it is primarily a technological issue. Cybercrime is an enterprise-level risk that will require an interdisciplinary approach, significant investments of time and talent by senior leadership and board-level attention.

In short: the cyber threat is a corporate governance issue. The companies that handle it best will have relevant expertise in the boardroom and the C-suite, a strategy for engagement with investors and the public, and—most of all—sound advice from corporate counsel who can navigate uncertain times and uncertain law in a critical area for the company's business.

My project today is to enlist all of you in preparing America's companies to meet the cyber challenge. I want to describe three areas in which I believe sophisticated corporate counsel can, in partnership with my colleagues at the SEC, help lead the way in developing the practices that will determine whether we win or lose the struggle to protect American companies from cyber crime. Nothing is more important to the SEC's core mission of protecting the investing public. And nothing is more important to the future of the American economy.

The Law of Cybersecurity and Disclosure

Let's start with the rules at the core of the SEC's mission: the law of disclosure. The Commission's latest guidance, which we issued last month, aims to promote "clearer and more robust disclosure" of cybersecurity breaches.[11] But that guidance, like the 2011 Staff-level instructions it reaffirms, relies heavily on the judgments of corporate counsel to make sure investors get the information they need. I worry that these judgments have, too often, erred on the side of nondisclosure, leaving investors in the dark—and putting companies at risk. I think we at the SEC have much more work to do in getting investors the information they need to understand cyber attacks. And we need your help to get there.

Since 2011, empirical study and hard experience suggest that we're not seeing consistent, timely and complete disclosure on cyber attacks. One 2014 paper argued that the boardroom implementation of our Staff's guidance "resulted in a series of disclosures that rarely provide differentiated or actionable information for investors."[12] Another contended that our guidance in this area "fails to resolve the information asymmetry at which the disclosure laws are aimed."[13] And our own Investor Advisory Committee recently observed that public-company disclosures regarding cybersecurity incidents have not meaningfully improved since 2011.[14]

What's more, when a company's cyber defenses are breached, that fact can find its way into the market even when the firm chooses not to inform investors by filing an 8-K. You see, SEC rules are hardly the only ones that require public companies to reveal data breaches. Our rules are based on materiality. Brighter lines are found in the state law arena. There, a patchwork of ever-changing state laws, along with state and local regulators, often require notification to consumers when residents' personally identifiable information has been compromised.[15]

In my home State of New York, for example, when personal data has been wrongfully obtained, that fact must be reported to state regulators as well as to consumers both inside and outside New York.[16] In fact, all but two States have enacted their own breach-notification laws.[17] And when state or local laws lead to revelations that are not shared with investors, companies and their counsel face significant risk.[18]

I wanted to learn more about disclosure practices in this area, so I ran the numbers myself. My staff and I compiled evidence on data breaches in 2017 that were reported to state and local regulators, as well as to the press.[19] After removing minor breaches from our dataset, what we found surprised us: of 82 cybersecurity incidents at public companies in 2017, only four companies chose to file an 8-k disclosing the breach to their investors.[20] In other words, in 2017, companies that suffered data breaches chose not to file an 8-K more than 97% of the time.

That's not to say, of course, that all of these events were material or required disclosure. But there is significant evidence that events like these matter to the market. One recent survey, for example, found that 20 of 25 academic studies found negative and significant stock-price reactions for firms that are victims of cyber attacks.[21] And in a compelling and important new paper, two Columbia Law School scholars have identified systematic evidence of arbitrage opportunities when traders learn of cyber breaches that have not yet been disclosed.[22]

I don't need to tell all of you about the risks that a board faces when information on a cyber breach leaks before the news has been shared with investors. Besides public approbation and litigation—just days ago, Yahoo! agreed to pay $80 million[23] to settle a suit related to data breaches—the board and management are forced to spend time scrambling rather than pursuing a viable long-term strategy for cyber defense. In the meantime, a few sophisticated and speedy traders may benefit from informed trading, while average American investors suffer. None of this reflects a productive investment of precious resources—and it's not nearly good enough to meet the rising cyber threat we face.

I've called upon my colleagues at the SEC to give careful consideration to new 8-K requirements governing cyber events.[24] I understand, of course, that we must strike a careful balance in this rapidly changing area.[25] But I believe America's companies and corporate bar can do better. And I believe that any rules we make are only as good as the work of the lawyers in the boardroom, where the rubber meets the road.

I hope each of you will urge upon the boards you counsel the pressing need for transparency in this area—and will share, with clients and with us at the SEC, the best practices you are developing to ensure that investors get the information they need when our companies are attacked. Those practices will, I hope, soon inform the next steps my colleagues and I will take in this critical area.

Cybersecurity and Insider Trading

Now let's turn to an especially troubling implication of some of the most high-profile and recent cybersecurity incidents: insider trading. There's no doubt that investors' confidence is shaken whenever they learn that a company's cyber defenses have been hacked. But when it's revealed that the insiders entrusted to protect investors used those events as an opportunity to profit personally, investors rightly question the basic trust that forms the core of our markets.

As many of you may know, at the time of the Equifax breach it was reported that certain insiders sold shares even after the firm's Chief Executive Officer discovered the issue but before the breach was revealed to the investing public.[26] While I cannot comment on any SEC investigations or ongoing litigation, I can say that it is especially alarming when reports of a breach are accompanied by reports of insider trading.  It is deeply troubling that insiders may have been able to profit in this way, regardless whether those specific insiders knew about the breach before engaging in such trading.[27]

 There are two important questions raised by these events that I hope you'll help us grapple with. First, are we doing enough in corporate boardrooms to ensure that, when any member of the senior management team learns material nonpublic information, all members of the team avoid trading? As our Chairman, Jay Clayton, has explained, procedures like those are an "important part of good corporate hygiene."[28] They also have the key benefit of encouraging senior management to share critical information early and often with their colleagues.

While I know that some of you are already advising your clients to adopt policies to address these situations, I worry whether those policies have made their way across the wide spectrum of companies and industries that make up our markets. Before I joined the Commission, I wrote a study with two much-more-talented colleagues that identified a surprising amount of trading by corporate insiders during the four-day period between the time when material nonpublic information was discovered and when it was revealed to the public.[29] Although I'm hopeful that Congress, or the Commission, will soon act to address this kind of trading, we can and should learn a great deal from the best practices all of you are developing in this area. I urge you to help us make sure that senior management knows that it makes little sense to trade when material nonpublic information has yet to be revealed to investors.[30]

But there's a second, and even more important, question raised by these developments: Does the law we have today adequately address situations where traders take advantage of nonpublic knowledge that a company has been hacked?

As others have observed, it is far from clear whether or how current law would apply to cases where the trader is not herself a corporate insider.[31] That raises the very real concern that hackers will not only continue to attack American companies—but that they might be able to profit by trading before the investing public discovers what they have done. That's a concern that, I know, is shared by your clients. One recent survey of corporate executives found that financially motivated hackers are the actor that concerns them the most in this area.[32]

In the midst of the war we are fighting on the cyber front, we cannot allow our securities markets to be a source of profit for hackers who use technology to harm the companies that are crucial to the growth of our economy. I hope all of you will help us ensure that best practices—and the laws governing insider trading—keep pace with this ever-changing threat.

Cybersecurity and Internal Controls

Although I had reservations about our recent guidance in this area, one important part of the Commission's statement has, in my view, been overlooked. The guidance specifically urged companies that "[c]ybersecurity risk management policies and procedures are key elements of enterprise-wide risk management," and noted our expectation that firms will have "sufficient disclosure controls and procedures in place to ensure that relevant information about cybersecurity risks and incidents is . . . reported . . . up the corporate ladder."[33]

Building that kind of system is a significant challenge for most public companies. The reason, of course, is that the experts who best understand the cyber threats a company faces are rarely among the company's lawyers. Instead, they are technologists trained to grapple with the latest innovations in the dark art of hacking—and how to protect against them. As one expert in this area recently observed, "lawyers and computer programmers are like foreign cultures."[34]

So we need ambassadors. Counsel like all of you are critical to helping companies build the internal reporting structure that will help boards and management better anticipate, assess, and, where necessary, disclose the next significant cyber attack. You'll need to help your clients assess their organization, learn where the critical knowledge is, and make sure there's a clear and clean path from there to the C-suite—and, eventually, to investors. You might even have to sit in front of a computer and open a program other than Microsoft Word.

Many of you might be thinking that reaching across the divide between lawyers and technologists is a bridge too far, even for the world's finest corporate counsel.[35] But I'm here to remind you that you have done this before. For if there is anything as Byzantine, complex, intimidating, and critical to the health of a business as technology, it is, of course, accounting. Fifteen years after the passage of Sarbanes-Oxley, the companies you counsel have a comprehensive set of controls that bring that specialized knowledge to the attention of management and, where necessary, the experts in the boardroom.

Many of you helped to build those systems by learning more than you ever wanted to know about the dismal science[36] of accounting—where the key sources of information leading to financial reporting were located in an organization and how to make sure management could rely upon them. Here, too, we will need your expertise in understanding how to make sure that information from technologists on the front lines of this war reaches senior management—and, where necessary, the board and investors.

This may well be the area that will demand the most attention from all of you over the coming months. One recent survey noted that 70% of executives at the S&P 500 named their IT department as a primary owner for cyber risk management—compared to just 37% who identified the C-suite or the board.[37] The same survey noted that, especially at large and growing companies, responsibility for these issues is often scattered throughout the organization, creating the risk that key information might not make its way to the decisionmakers who need it most.[38]

I am hopeful that this part of our guidance will lead companies and their counsel to ask themselves whether their existing internal controls are up to the daunting task we face. And I know that all of us at the Commission will be on the lookout for the best practices you'll come up with to prepare your clients for this challenge.

*          *          *          *

The cybersecurity threat now gripping corporate America poses new challenges for companies, the SEC, and the investors we serve. But whether those challenges relate to when and how to share information with investors, how to ensure that insiders trade on a level playing field, or how to design organizations so that its senior leaders have the information they need to do the right thing, they are all fundamentally questions of corporate governance.

We regulators can and should do more to protect American investors from the looming cyber threat. We at the SEC should consider disclosure requirements that would give all of you clearer marching orders on when and how to share critical information with investors. And Congress or the Commission should also move quickly to make sure that, when one member of senior management learns material nonpublic information, no member of the team is trading in the company's stock. We may also need to ask ourselves, more fundamentally, whether the insider-trading law we have is adequate to meet these new challenges.

Whatever we do, however, we will need sophisticated corporate counsel to help us make sure that our rules have the intended effect—in the boardroom, in the marketplace, and in the race to protect our companies and our country from the hackers who would do us harm. I hope you'll all join me and my colleagues on the Commission in pushing yourselves and your clients to develop the kinds of cutting-edge best practices we'll need to meet this challenge. And I hope you'll keep this issue at the top of the corporate governance agenda—where it belongs.

Thank you once again for the opportunity to be here with you at Tulane today. I very much look forward to our continued conversations over the coming days.

 

[1] Commissioner, United States Securities and Exchange Commission. I am deeply grateful to my colleagues Matthew Cain, Caroline Crenshaw, Marc Francis, Satyam Khanna, and Prashant Yeramalli, whose insights and comments have, as always, deepened my thinking on these matters a great deal. Responsibility for any errors or omissions is, sadly, mine alone.

[2] My understanding is that you can get a pretty good meal, and maybe even a drink or two, in this town. That's what I hear, at least. Given my age and appearance, my Staff are taking bets as to whether I'd get carded if I tried to buy a drink on Bourbon Street. Honestly, I'm afraid they might be right.

[3]  During my first year at Wachtell, I shared an office with an incredibly hardworking and brilliant young corporate lawyer named Sabastian Niles. It appears he was eventually rewarded for putting up with me. Compare Wachtell, Lipton, Rosen & Katz, Attorneys ("Sabastian V. Niles is a Partner at Wachtell, Lipton, Rosen & Katz where he focuses on rapid response shareholder activism and preparedness . . . .").

[4] Lt. Gen. Robert Ashley, Director, Defense Intelligence Agency, Statement for the Record: Worldwide Threat Assessment, before U.S. Sen. Comm. on Armed Servs. (March 6, 2018).

[5] See Identity Theft Resource Center, Annual Data Breach Year-End Review (2017).

[6] See Mike Ozanian, The Most Valuable Teams in the NFL, Forbes (Sept. 15, 2015).

[7] Identity Theft Resource Center, Annual Data Breach Year-End Review, supra note 4.

[8]  Ocean Tomo LLC, Intangible Asset Market Value Study (2017).

[9] Marsh, By the Numbers: Global Cyber Risk Perception Survey 3 (Feb. 2018).

[10] See Securities and Exchange Commission, Commission Statement and Guidance on Public Company Cybersecurity Disclosures, Nos. 33-10459, 34-82746 (Feb. 26, 2018).

[11] Securities and Exchange Commission, SEC Adopts Statement and Interpretive Guidance on Public Company Cybersecurity Disclosures (Feb. 21, 2018) (quoting Chairman Clayton).

[12]  PWC & IRRC Institute, What Investors Need to Know About Cybersecurity 5 (2014).

[13] Matthew F. Ferraro, "Groundbreaking" or Broken? An Analysis of SEC Cybersecurity Guidance, its Effectiveness, and Implications, 77 Albany L. Rev. 297 (2014); id. (expressing the concern that cyber disclosures are "of such similarity across industries . . . that they indicate little useful information is coming to the market.").

[14] Securities and Exchange Commission Investor Advisory Committee, Discussion Draft Regarding Cybersecurity and Risk Disclosure (Oct. 26, 2017).

[15] For a list of those state laws—and a demonstration of how varied and complex they are—see National Conference of State Legislatures, Security Breach Notification Laws (Feb. 6, 2018).

[16] See N.Y. Gen. Bus. Law § 899-AA (2016); see also N.Y. State Tech. Law 208 (2016).

[17] See National Conference of State Legislatures, supra note 14.

[18] See, e.g., Securities and Exchange Commission, Regulation Fair Disclosure, 17 C.F.R. § 243.100 (2016); see also Panel Discussion: The SEC's Regulation FD, 6 Fordham J. Corp. & Fin. Law 273, 278 (2001) (remarks of Professor Harvey J.L. Goldschmid) (explaining the key policy rationale for regulating in this area).

[19] These data are publicly available from the Identity Theft Resource Center (ITRC). The ITRC Breach Report, from which we drew this information, is a "compilation of data breaches confirmed by various media sources and/or notification lists from state government agencies. . . . Breaches on this list typically have exposed information that could potentially lead to identity theft, including Social Security numbers, financial account information, medical information, and even email addresses and passwords. ITRC follows U.S. Federal guidelines about what combination of personal information comprise a unique individual, and the exposure of which will constitute a data breach." Identity Theft Resource Center, Data Breaches (last visited March 14, 2018), available at https://www.idtheftcenter.org/Data-Breaches/data-breaches.

[20]  We are hopeful that academic and government researchers will find these data—and the market's potential response to breaches of this kind—worthy of further study. To that end, we have prepared a data appendix, as well as a separate dataset, for researchers' use in considering these questions, and we welcome comments, questions, and further work in this area.

Following Commissioner Jackson’s delivery of this speech, commenters reached out to us with helpful reactions to our Data Appendix and additional data for our consideration, and we have slightly modified the figures in the speech accordingly. We are grateful to these commenters, and especially to Derryck Coleman, for that assistance, and invite and encourage those interested in this area to share additional reactions to these preliminary data. Prior to those comments, our initial figures included 81 cybersecurity incidents and two disclosures, for a rate of over 97%.

[21] Georgios Spanos & Lefteris Angelis, The Impact of Information Security Events to the Stock Market: A Systematic Literature Review, 58 Computers & Security (2016).

[22] See Joshua Mitts & Eric Talley, Informed Trading and Cybersecurity Breaches, 8 Harv. Bus. L. Rev. __ (forthcoming 2018).

[23] See, e.g., Phil Muncaster, Yahoo Agrees $80M Securities Class Action Settlement, Info Security (March 9, 2018).

[24] The SEC has not performed a careful reexamination of its 8-K rules since 2004—when cyber threats were hardly on the horizon for most companies and corporate counsel. See Securities and Exchange Commission, Final Rule: Additional Form 8-K Disclosure Requirements and Acceleration of Filing Date (Aug. 23, 2004).

[25] For example, in the midst of a cybersecurity breach, the board and management may want to be sure they fully understand the scope and scale of the attack before disclosing the news to the public—and want to make sure that any disclosure does not provide a roadmap for future attackers.

[26] See, e.g., Liz Moyer, Equifax's then-CEO waited three weeks to inform board of massive data breach, testimony says, CNBC.com (Oct. 2, 2017), available at https://www.cnbc.com/2017/10/02/equifaxs-then-ceo-waited-three-weeks-to-inform-board-of-massive-data-breach-testimony-says.html.

[27]  Yesterday, the Commission charged a former Chief Information Officer of an Equifax business unit with insider trading in advance of the company's September 2017 announcement of its massive data breach. See Securities and Exchange Commission, Former Equifax Executive Charged with Insider Trading (March 14, 2018).

[28] See, e.g., Andrew Ramonas & Rob Tricchinelli, Clayton Mulls SEC Insider Trading Amid Equifax Fears, Bloomberg Law (Sept. 26, 2017) (quoting the Chairman's testimony before the Senate Banking Committee).

[29] See Alma Cohen, Robert J. Jackson, Jr., & Joshua Mitts, The 8-K Trading Gap (August 1, 2016), available at https://papers.ssrn.com/sol3/Papers.cfm?abstract_id=2657877.

[30] Sophisticated observers wonder how our current law applies to these cases, illustrating the inadequacy of current rules for dealing with cases like this—and our failure to make the rules of the road clear to corporate insiders. See Matt Levine, Money Stuff, Bloomberg View (March 15, 2018) ("[I]f you work at a public company, and it suffers a massive data breach, and you don't find out about it before it is public, and you sell your stock because you just have a vague bad feeling about things, is that illegal insider trading? . . . [T]here are some nuances to the question, but the basic answer is no, probably not.").

[31] See Mitts & Talley, supra note 19 (arguing that, although the "efficiency implications of cybersecurity trading are distinct—and generally more concerning—than those posed by garden-variety information trading within securities markets," "both securities fraud and computer fraud in their current form appear poorly adapted to address such concerns, and both would require nontrivial re-imagining to meet the challenge"); see also Matt Levine, Is Cyber-Insider Trading Illegal?, Bloomberg View (Feb. 2, 2018) (discussing the study and inquiring, more generally, whether trading of this kind is prohibited by current law).

[32] See Marsh, supra note 8, at 7 & fig. 4.

[33] Securities and Exchange Commission, supra note 8, at 26-27.

[34] Jason Krause, Does Learning to Code Make You a Better Lawyer? ABA Journal (Sept. 2016), available at http://www.abajournal.com/magazine/article/lawyer_learning_code_zvenyach_ohm.

[35] See Twentieth Century Fox, Office Space (1999) (providing the canonical example of justifying one's employment with the claim: "I have people skills.").

[36] That's actually economics, I know. Or is it? See Derek Thompson, Why Economics is Really Called 'the Dismal Science," The Atlantic (Dec. 17, 2013) (questioning the standard tale that Thomas Carlyle coined this term in response to Malthus's famous claim that population growth would always strain natural resources).

[37] Marsh, supra note 8, at 8.

[38] See id. at 8 & fig. 5. 

Last Reviewed or Updated: April 27, 2018

Resources