The Securities and Exchange Commission (SEC) issued new guidance in February, urging senior executives and board members to pay closer attention to cybersecurity. However, the recommendations, while more stringent than what was in place before, don't go far enough, critics say, and, more importantly, lack teeth.
No consequences for failure
In a set of recommendations about disclosures of cybersecurity risks back in 2011, the SEC said that companies need to "disclose the risk of cyber incidents if these issues are among the most significant factors that make an investment in the company speculative or risky."
The agency clarified that this did not require businesses to talk about specific technical details of those risks. As a result, the disclosures that companies did make were not particularly useful, according to a 2014 study by PricewaterhouseCoopers and the Investor Responsibility Research Center Institute. Instead, the disclosures "rarely provide differentiated or actionable information for investors.”
In addition, the earlier guidance suggested that the SEC would not enforce any of its cybersecurity recommendations, says Ernest Badway, co-chair of the securities industry practice at Fox Rothschild LLP. Instead, the agency would work with them "to make sure they have protections in place."
In the future, the SEC would consider enforcement actions if the companies ignored the recommendations, he says, but there was no sign of that enforcement in the new guidance. In fact, Badway says, it doesn't offer much more than the original 2011 recommendations did.
"It's quite well and good to point out all these issues," Badway says. "However, what they're not doing is saying what happens when a company failed to meet these regulations. There's no bite. All it really says is that everyone knows it's important to have policies, procedures, and a plan in place for when something goes wrong, and that people shouldn't be trading on information if they know it's been a hack."
By comparison, other cybersecurity regulations have significant enforcement power behind them. Breach notification laws, for example, are in place in 48 states, Washington, DC, and Puerto Rico, according to the law firm Perkins Coie.
A year ago, New York began requiring comprehensive cybersecurity assessments from financial services companies in the state. This May, the European Union's General Data Protection Regulation (GDPR) goes into effect with fines of up to 20 million euros or 4 percent of annual global revenues, whichever is higher.
This new SEC guidance doesn't compare to that, says Badway. "Not even close." As a result, he says, he doesn't see corporations rushing out to improve their cybersecurity processes in response to the new SEC guidance. They might be more motivated to improve by shareholder lawsuits, he adds, but the new guidance isn't likely to provide more fuel for the plaintiffs. "The criteria are the same," he says. "I don't think anything has changed."
Ironically, the new SEC guidance does mention both the New York State regulations and the EU's GDPR, but only in the context of the potential litigation and legal risks of failure to comply with those requirements.
The SEC voted unanimously to approve the new guidance on February 20, but not all the commissions were equally enthused by the final product. "I am disappointed with the Commission’s limited action," said commissioner Kara Stein in a statement. "Should we be, in effect, re-issuing staff guidance solely to lend it a Commission imprimatur?" she asked. "Will companies, their general counsels, and their boards suddenly take notice of their cyber-related disclosure obligations because of the Commission’s new endorsement?"
Instead of recycling old advice, she said, the commission could have examined what it's learned since 2011 from reviews of hundreds of public company filings every year. It could have looked at recent advances in technology used in cyberattacks. "The list goes on," she wrote. "In effect, we could have helped companies formulate more meaningful disclosure for investors. Instead, yesterday’s guidance provides only modest changes to the 2011 staff guidance."
Since that guidance was first released, there's been no significant changes in companies' disclosures, she said -- a sign that guidance alone is not enough. Meanwhile, the risks and costs of cyber attacks are going up, Stein said. For example, the SEC could have considered more stringent disclosure requirements, as well as going beyond just disclosures to setting minimum cybersecurity standards and procedures. Instead, the guidance that was released "may provide investors a false sense of comfort that we, at the Commission, have done something more than we have," she said.
Stein wasn't alone. "The guidance essentially reiterates years-old staff-level views on this issue," said SEC commissioner Robert Jackson in a statement. "But economists of all stripes agree that much more needs to be done." Without adequate regulation, companies will under-invest in cybersecurity, he said, citing a report released in February by the Council of Economic Advisers. "I reluctantly support today’s guidance in the hope that it is just the first step toward defeating those who would use technology to threaten our economy," he said.
Focus on insider trading, new risks
The biggest takeaway for many experts from the new guidance is the attention paid to the problem of insider trading in connection to undisclosed cybersecurity problems. In one high profile case last year, the SEC and the US Department of Justice investigated the questionable sale of $1.8 million worth of stock by three Equifax executives after the company learned of a breach of 143 million records, but before the breach was disclosed to the public.
"While these undisclosed investigations are being conducted to determine the extent and potential impact of an attack, it’s simply reckless and inappropriate for executives to trade equities, even if they’re on an automated plan," says Bill Conner, CEO at SonicWall, a cybersecurity vendor based in Santa Clara, Calif. "There’s more to be done by the SEC with respect to cyber guidelines on disclosure and insider trading rules, but this is a solid step in the right direction.”
The new SEC guidance also draws additional attention to specific cybersecurity risks, experts say. For example, it specifically mentions ransomware, phishing, SQL injection attacks, and DDoS attacks. In the case of DDoS attacks, the SEC warns companies that if they've had a DDoS attack previously, it's not enough to inform investors that such an attack might occur. Instead, they may need to discuss the previous incident and its consequences. "This welcome clarification will lead to a better understanding of the true costs of DDoS attacks," says Ashley Stephenson, CEO at Corero Network Security.
Too often, DDoS attacks are not disclosed, Stephenson says. While the current guidance doesn't specifically address the question of consequences, that might change. "Given the prevalence of DDoS attacks, it is unlikely that the defense of 'plausible deniability prior to the first disclosable attack' will be tolerated by the SEC for very long," he says.
What's surprising is that the SEC didn't address the issue of privacy anywhere in its guidance document, says Willy Leichter, VP of marketing at CipherCloud. "Granted, data privacy may not be in the SEC’s purview, but these incidents most commonly involve breaches of customer data and ensuing loss of privacy, confidence and customer trust," he says.
More implementation details to come?
We might yet see more details about the implementation of these guidelines this year, says Eldon Sprickerhoff, founder and chief security strategist at eSentire, including new rules for timely breach notifications, and a blackout period following the discovery of a cybersecurity event to prevent insider trading. "There is no doubt that with the combination of incoming GDPR implementation and the Equifax event last year, the SEC will increase the spotlight on incident response preparedness," he says.
It will take more work to achieve true "security in sunshine," says Jeff Williams, CTO and cofounder at Contrast Security, "but this reaffirmation is a good step forward."
There is a great deal of information that companies can disclose that won't create additional security risks, he says. "That includes both vulnerability, breach, and risk management process information. Look for the SEC to go after companies that don’t disclose these risks and are breached in a way that harms consumers or investors."
SEC chairman Jay Clayton said in a statement that more action might be coming. "We will continue to evaluate developments in this area and consider feedback about whether any further guidance or rules are needed."