Member Article

On March 26, 2014, the Securities and Exchange Commission (“SEC”) hosted a roundtable to discuss cybersecurity. The roundtable focused on how cybersecurity affects markets and how public companies and other businesses should address cybersecurity issues. The event is the latest signal that the government is increasingly focused on cyber issues and follows on the heels of (i) the SEC’s previous guidance on disclosures of cybersecurity risks, and (ii) the Obama administration’s executive order on cybersecurity, developments that our firm has previously analyzed here and here. 

Roundtable Discussion 

In opening comments at the roundtable, Commissioner Luis A. Aguilar emphasized that “cybersecurity has become a top concern to American companies, regulators, and law enforcement agencies. This is in part because of the mounting evidence that the constant threat of cyber-attack is real, lasting, and cannot be ignored.” He noted several recent attacks against prominent public companies, financial institutions, government agencies, and securities exchanges and stressed that the SEC is committed to increasing its role in addressing cybersecurity issues because cyber-attacks “can have devastating effects on our economy, on individual consumers, and on the markets and investors that the SEC was created to safeguard.” Accordingly, Commissioner Aguilar expects that the SEC will implement additional steps to combat cyber-threats, including establishing a new Cybersecurity Task Force. 

Panelists discussed both cyber issues affecting public companies and issues regarding how cyber-attacks can impact market infrastructure as a whole. One theme focused on the rapid rise in the number and sophistication of both internal and external cyber-attacks. It remains to be seen how the SEC will respond, but panelists cautioned against the adoption of one-size-fits-all regulations that might give external hackers and disillusioned employees a blueprint for circumventing them. Panelists also strongly endorsed information sharing among regulators and targets of attacks. 

Takeaways 

Although public companies already had ample reason to prioritize cybersecurity issues for the protection of their shareholders, customers, and employees, the SEC’s increasing involvement in this area should provide an additional motive for companies to develop a comprehensive plan to combat data breaches and other cyber-attacks. In addition to having robust preventative measures in place including regular exercises to identify potential vulnerabilities, companies must formulate a well-thought out plan in advance so they can be prepared to address the cybersecurity issues that will inevitably arise in any business. For additional information on how to develop a comprehensive cybersecurity plan, see our articles here and here. Companies that are unprepared for cyber-attacks greatly increase the likelihood of finding themselves in the SEC’s crosshairs. Experienced outside counsel can work with clients to develop preventative plans and respond to cyber issues that occur. 

For further information or for any questions about cybersecurity, privacy, or data breach issues, please contact one of the attorneys listed below: