The Securities and Exchange Commission (SEC) was founded at the height of the Great Depression to help restore investor confidence after the Wall Street Crash of 1929. For almost 100 years, the SEC has prioritized “protecting investors, maintaining fair, orderly, and efficient markets, and facilitating capital formation.”
At present, financial markets and investor confidence occasionally waver in the face of cyberattacks. The 2017 Equifax breach caused a stock price drop of 31% a week after disclosure. The SolarWinds attack caused a corporate stock price drop of more than 40%. The Colonial Pipeline outage caused fuel shortages and a corresponding seesaw of losses and gains.
In step with high profile cyberattacks, the SEC has sharpened its focus on cyber risk, to “protect investors, hold bad actors accountable, and deter future wrongdoing.” As markets have grown “more global and complex” so too have cyberthreats.
According to Moody’s Investors Services, cybercrime costs worldwide are likely to total $6 trillion this year and rise 15% annually for the next five years.
Cybersecurity’s Impact On Investors and Financial Markets
- SEC has determined the impact of cyber-related misconduct on investors and markets could include:
- Market manipulation schemes spreading false information through email and social media
- Hacking to obtain material nonpublic information
- Violations involving distributed ledger technology and initial coin offerings
- Misconduct perpetrated using the dark web
- Intrusions into retail brokerage accounts
- Cyber-related threats to trading platforms and other critical market infrastructure
As SEC Chain Gary Gensler pointed out in a webcast hosted by NYU Law School, a cyberattack can harm investors by undercutting the price of a company’s debt or equity security.
Last week, during the Securities Enforcement Forum 2021, the SEC signaled that to protect markets and investors, the agency will focus on ensuring organizations are obligated to give clear cyber risk disclosures and to implement solid internal controls.
SEC Chair Gensler states that SEC staff are “drawing up a proposed mandatory rule for cyber risk disclosure, laying out when a company should consider an attack material and subject to disclosure, and how such disclosure should be made.”
SEC Guidance on Cybersecurity Disclosures
- Companies need to ensure timely, in-depth communication between cybersecurity staff and executives responsible for the disclosure and major decisions;
- Board of directors needs to be deeply involved in cybersecurity risk assessment and disclosure;
- Companies should weigh the materiality of a cyberattack;
- Companies should not describe a cyberattack that has already occurred as hypothetical.
SEC Guidance on Cybersecurity Disclosures implies that the SEC will take a flexible approach to the timing and scope of the disclosure. This will prevent hackers from obtaining insights into a company’s cyber weakness.
“We don’t want a company putting out information that hackers can then use to exploit the company,” but “once the hole is plugged, you should be able to tell investors what happened,” states SEC Senior Counsel Arsen Ablaev
Enforcement of SEC Guidance on Cybersecurity Disclosures
A glimpse at the SEC’s Cyber Enforcement Actions List reveals that the agency is able to assign penalties for not complying with Cybersecurity Guidance. The SEC is ramping up tougher enforcement and has added “cybersecurity risk governance” to its rulemaking agenda. SEC Senior Counsel Arsen Ablaev explains that “If compromised data is related to a company’s critical business, the more likely we are to find materiality and the more likely we are to assign a kind of higher penalty amount to these cases.”
Risk Management: Connecting SEC To ESG
Gary Roboff, Senior Adviser, Shared Assessments, emphasizes the connection between SEC’s intensified focus on cybersecurity and ESG (Environmental, Social, and Governance). Roboff describes the Governance aspect of ESG and how it plays into the SEC’s core mission:
“Under SEC chair Gary Gensler the commission has moved more aggressively against a wide range of ESG issues and since last May’s Colonial Pipeline incident cybersecurity risk management governance has become a high priority. Although we may not think of risk management governance as an ESG issue, make no mistake; the SEC sees it as fundamental to its role of protecting investors, and an essential element in the “G” of its Environment, Social and Governance oversight responsibilities…”
To participate in a discussion about mature third party risk management sustainability practices in today’s fast-paced ESG arena, consider joining the ESG TPRM Strategy Group, a Shared Assessments Cross Vertical Strategy Group.