Close this search box.
Close this search box.

Inside the SEC’s Statement on Cybersecurity

Critics and issuers should read this statement carefully and step back to see how it is constructed. It may actually serve as a good model for issuers' own procedures and disclosures on cybersecurity.

I strongly urge everyone to read SEC Chair Jay Clayton‘s recent Statement on Cybersecurity. One part of the statement is receiving a lot of attention. Last month, the Commission learned that an incident previously detected in 2016 may have provided the basis for illicit gain through trading. While the Commission believes the intrusion (the exploitation of a software vulnerability in the test filing component of the EDGAR system) did not result in unauthorized access to personally identifiable information, jeopardize its operations, or result in systemic risk, it openly admits that it did result in access to nonpublic information of issuers.  The statement did not say whether any of the issuers’ nonpublic information that was exposed was material, and there’s no way it could possibly determine that. The Commission’s investigation of this matter is ongoing.

This statement by Chair Clayton is extraordinary and will have critics questioning the Commission’s own credibility when it beseeches issuers to beef up their cybersecurity systems and disclosures. However, the statement also raises some important questions:

  1. Should the language disclosing the EDGAR breach have been in the title or first paragraph of the statement, and should the Commission have disclosed the breach immediately upon discovering it in August instead of waiting until September? One could easily imagine those questions appearing in a comment letter from the Commission’s Division of Corporation Finance staff in a review of an issuer’s 1934 Act disclosures with a similar fact pattern.  How would investors or the Commission’s staff react if an issuer’s press release or SEC filing about cybersecurity did not mention an actual breach until 1,400 words into it, in the 17th paragraph?  And, as far as timing goes, should the EDGAR breach have been disclosed earlier, say within four business days of discovery?  Cue to the old Senator Howard Baker Watergate hearings question, “What did [they] know and when did [they] know it?”
  2. How might the Commission’s recent experience with its own cybersecurity inform its future enforcement actions and disclosure reviews? Critics often complain that the Commission’s staff doesn’t understand the challenges and complexities of the companies it regulates and as a result doesn’t get its enforcement actions or disclosure comments right.  While this isn’t really an “eat your own cooking” or “pot calling the kettle black” moment, it may be a “teachable” moment for the Commission and its staff as they carry out their responsibilities going forward. Chair Clayton states, “I recognize that even the most diligent cybersecurity efforts will not address all cyber risks that enterprises face.  That stark reality makes adequate disclosure no less important. Malicious attacks and intrusion efforts are continuous and evolving, and in certain cases they have been successful at the most robust institutions and at the SEC itself.” Still, he goes on to state, “[u]ltimately, a large portion of the costs incurred in connection with these risks, including the costs of mitigation, are borne by investors, consumers, and other important constituents,” reminding us that the Commission’s mission is first and foremost to protect investors, not companies, boards, or management. So, companies should not expect much, if any, additional empathy from the attorneys at the Commission’s Division of Enforcement, even after this event.
  3. How will this impact the debate over cyber expertise on public company boards of directors? Corporate stakeholders—most notably investors, cyber experts, and Congress—have been urging boards to ensure at least some of their directors have legitimate cybersecurity expertise. The Equifax hacking debacle is only the most recent in a long line of incidents that have prompted calls to action. Recall the bipartisan bill in Congress that (if signed into law and adopted by the Commission) could effectively mandate every board to have a member who is a bona fide cybersecurity expert, similar to the Sarbanes-Oxley Act’s requirement that every board have an “audit committee financial expert.” And, while the primary aim of the recently-announced next phase of the New York City Comptroller’s Boardroom Accountability Project campaign is to “ratchet up the pressure on some of the biggest companies in the world to make their boards more diverse, independent, and climate-competent,” the director skills matrix that the Comptroller has asked companies (151 so far) to provide to him and disclose to all investors could eventually be used to highlight a board’s cybersecurity expertise or lack thereof.  The sample matrix the Comptroller provides on its website includes categories called “Risk Management” and “Technology/Systems.” It’s probably just a matter of time before those categories spawn a “Cybersecurity” or “Information Security” box to check in some company’s proxy statement, which could mark the beginning of a real trend.


  • Get the CEO Briefing

    Sign up today to get weekly access to the latest issues affecting CEOs in every industry
  • upcoming events


    Strategic Planning Workshop

    1:00 - 5:00 pm

    Over 70% of Executives Surveyed Agree: Many Strategic Planning Efforts Lack Systematic Approach Tips for Enhancing Your Strategic Planning Process

    Executives expressed frustration with their current strategic planning process. Issues include:

    1. Lack of systematic approach (70%)
    2. Laundry lists without prioritization (68%)
    3. Decisions based on personalities rather than facts and information (65%)


    Steve Rutan and Denise Harrison have put together an afternoon workshop that will provide the tools you need to address these concerns.  They have worked with hundreds of executives to develop a systematic approach that will enable your team to make better decisions during strategic planning.  Steve and Denise will walk you through exercises for prioritizing your lists and steps that will reset and reinvigorate your process.  This will be a hands-on workshop that will enable you to think about your business as you use the tools that are being presented.  If you are ready for a Strategic Planning tune-up, select this workshop in your registration form.  The additional fee of $695 will be added to your total.

    To sign up, select this option in your registration form. Additional fee of $695 will be added to your total.

    New York, NY: ​​​Chief Executive's Corporate Citizenship Awards 2017

    Women in Leadership Seminar and Peer Discussion

    2:00 - 5:00 pm

    Female leaders face the same issues all leaders do, but they often face additional challenges too. In this peer session, we will facilitate a discussion of best practices and how to overcome common barriers to help women leaders be more effective within and outside their organizations. 

    Limited space available.

    To sign up, select this option in your registration form. Additional fee of $495 will be added to your total.

    Golf Outing

    10:30 - 5:00 pm
    General’s Retreat at Hermitage Golf Course
    Sponsored by UBS

    General’s Retreat, built in 1986 with architect Gary Roger Baird, has been voted the “Best Golf Course in Nashville” and is a “must play” when visiting the Nashville, Tennessee area. With the beautiful setting along the Cumberland River, golfers of all capabilities will thoroughly enjoy the golf, scenery and hospitality.

    The golf outing fee includes transportation to and from the hotel, greens/cart fees, use of practice facilities, and boxed lunch. The bus will leave the hotel at 10:30 am for a noon shotgun start and return to the hotel after the cocktail reception following the completion of the round.

    To sign up, select this option in your registration form. Additional fee of $295 will be added to your total.