FROM: SECURITIES AND EXCHANGE COMMISSION
The Commission’s Role in Addressing the Growing Cyber-Threat
Commissioner Luis A. Aguilar
March 26, 2014
*I would like to start by welcoming each of the participants, audience members, and those joining us by webcast.
In recent months, cybersecurity has become a top concern to American companies, regulators, and law enforcement agencies.[1] This is in part because of the mounting evidence that the constant threat of cyber-attack is real, lasting, and cannot be ignored.
One of the most prominent examples of the wide-ranging and potentially devastating effects that can result from cyber-attacks is the December 2013 data breach of Target Corporation.[2] In addition, several large banks have repeatedly been the subject of denial-of-service attacks in which their public websites have been knocked offline for hours at a time,[3] and numerous government agencies have also experienced a series of cyber-attacks.[4] Moreover, cyber-attacks on financial institutions have become both more frequent and more sophisticated.[5] This is also true of cyber-attacks on the infrastructure underlying the capital markets. For example, according to a 2012 global survey of securities exchanges, 89% identified cyber-crime as a potential systemic risk and 53% reported experiencing a cyber-attack in the previous year.[6]
As an SEC Commissioner, I have become particularly concerned about the risks that cyber-attacks pose to public companies, and to the capital markets and its critical participants, including the exchanges, clearing agencies, transfer agents, broker-dealers, and investment advisers. Cyber-attacks aimed at these market participants can have devastating effects on our economy, on individual consumers, and on the markets and investors that the SEC was created to safeguard.
There is no doubt that the SEC must play a role in this area. What is less clear is what that role should be. As many of you know, in 2011 the staff issued guidance to public companies about their disclosure obligations with respect to cybersecurity risks and cyber incidents.[7] I hope that these disclosures have helped investors and public companies to focus and assess cybersecurity issues. However, the increased pervasiveness and seriousness of the cybersecurity threat raises questions about whether more should be done to ensure the proper functioning of the capital markets and the protection of investors.
As I explored this issue, it became readily apparent to me that the Commission has much to learn about the specific risks that our regulated entities and public companies are facing. After conducting research into this area, I recommended that the Commission convene a roundtable so that we can begin to develop a better understanding of this growing problem. I am pleased that Chair White agreed with my recommendation and asked the staff to make this roundtable a reality.
The issues that will be discussed by today’s four panels can roughly be broken down into two categories – issues potentially impacting public companies and issues impacting the capital market infrastructure and SEC-regulated entities. With regard to the public company discussion, I am particularly interested in hearing whether the current disclosure regime under the 2011 guidance is working or how it could be improved.
The risks facing the capital market infrastructure and regulated entities are of particular concern to the SEC. For instance, a cyber-attack on an exchange or other critical market participant can have broad consequences that impact a large number of public companies and their investors. Indeed, given the extent to which the capital markets have become increasingly dependent upon sophisticated and interconnected technological systems, there is a substantial risk that a cyber-attack could cause significant and wide-ranging market disruptions and investor harm.
I am hopeful that today’s Roundtable will engender significant discussion about the ways in which regulators and industry can work together to address these risks. One of the most important things that can develop from this Roundtable is for the Commission to hear what we can do to help you fight, and respond to, the growing cyber-threat that is confronting our markets and our public companies. My expectation is for the Commission to analyze all of the information we will receive as a result of this Roundtable and, with appropriate haste, consider what additional steps the Commission should take to address cyber-threats.
It will be important to keep the dialogue and momentum from today’s event going. One immediate step the Commission should take is to establish a Cybersecurity Task Force. This Task Force should be composed of representatives from each division that will regularly meet and communicate with one another to discuss these issues, and, importantly, advise the Commission as appropriate.
In conclusion, I would like to thank all of our panelists for taking the time to be here today, and I want to thank the staff for organizing the Roundtable. I look forward to a well-informed discussion about cyber-attacks, as well as the ways to prevent, respond to, and mitigate the risks of such attacks. As a reminder, there will be a public comment file associated with today’s Roundtable, and I look forward to receiving additional comments and input on this issue.
Thank you.
[*] The views I express today are my own, and do not necessarily reflect the views of the U.S. Securities and Exchange Commission (the “SEC” or “Commission”), my fellow Commissioners, or members of the staff.
[1] For example, on February 26, 2014, the U.S. Commodity Futures Trading Commission (“CFTC”) published guidance outlining the data security practices it expects from firms it oversees and the third parties they contract with. See CFTC Staff Advisory No. 14-21, Gramm-Leach-Bliley Act Security Safeguards (Feb. 26, 2014), available at http://www.cftc.gov/ucm/groups/public/@lrlettergeneral/documents/letter/14-21.pdf. In addition, the Director of the Federal Bureau of Investigation (FBI), James Comey, said last November that “resources devoted to cyber-based threats will equal or even eclipse the resources devoted to non-cyber based terrorist threats.” See Testimony of James B. Comey, Director, Federal Bureau of Investigation, before the Senate Committee on Homeland Security and Governmental Affairs (Nov. 14, 2013), available at http://www.fbi.gov/news/testimony/homeland-threats-and-the-fbis-response. Also, on December 9, 2013, the Financial Stability Oversight Council held a meeting to discuss cybersecurity threats to the financial system; see also, U.S. Department of the Treasury Press Release, Financial Stability Oversight Council (FSOC) to Meet December 9 (Dec. 2, 2013), available at http://www.treasury.gov/press-center/press-releases/Pages/jl2228.aspx; Jaclyn Jaeger, “Boards Look to Boost IT, Data Security Oversight,” Compliance Week (Mar. 11, 2014) (noting that company boards have become much more sensitive to cybersecurity risks and the harm they could cause to a company’s reputation and business). The importance of this issue is also reflected in the recent notices that the staffs from the SEC’s Office of Compliance Inspections and Examinations and from FINRA will have cybersecurity as a focus of their 2014 examinations. See SEC’s National Examination Priorities for 2014 (Jan. 9, 2014), available at http://www.sec.gov/about/offices/ocie/national-examination-program-priorities-2014.pdf; FINRA’s 2014 Regulatory and Examination Priorities Letter (Jan. 2, 2014), available at http://www.finra.org/web/groups/industry/@ip/@reg/@guide/documents/industry/p419710.pdf. In addition, it was recently announced that SEC examiners will review whether asset managers have policies to prevent and detect cyber-attacks and are properly safeguarding against security risks that could arise from vendors having access to their systems. See Sarah N. Lynch, “SEC examiners to review how asset managers fend off cyber attacks,” Reuters (Jan. 30, 2014), available at http://www.reuters.com/article/2014/01/30/us-sec-cyber-assetmanagers-idUSBREA0T1PJ20140130.
[2] On December 19, 2013, Target Corporation announced a data breach resulting from a cyber-attack on its systems. The breach affected two types of data: payment card data, which affected approximately 40 million Target customers, and certain personal data, which affected up to 70 million Target customers. See Testimony of John Mulligan, Executive Vice President and Chief Financial Officer of Target, before the U.S. Senate Committee on the Judiciary (Feb. 4, 2014), available at http://www.judiciary.senate.gov/pdf/02-04-14MulliganTestimony.pdf; Target Press Release, Target Confirms Unauthorized Access to Payment Card Data in U.S. Stores (Feb. 4, 2014), available at http://pressroom.target.com/news/target-confirms-unauthorized-access-to-payment-card-data-in-u-s-stores..
[3] See, e.g., Joseph Menn, “Cyber attacks against banks more severe than most realize,” Reuters (May 18, 2013), available at http://www.reuters.com/article/2013/05/18/us-cyber-summit-banks-idUSBRE94G0ZP20130518; Bob Sullivan, “Bank Website Attacks Reach New Highs,” CNBC (Apr. 3, 2013), available at http://www.cnbc.com/id/100613270.
[4] See, e.g., Jim Finkle and Joseph Menn, “FBI warns of U.S. government breaches by Anonymous hackers,” Reuters (Nov. 15, 2013), available at http://www.reuters.com/article/2013/11/15/us-usa-security-anonymous-fbi-idUSBRE9AE17C20131115 (activist hackers secretly accessed U.S. government computers in multiple agencies, resulting in stolen data on at least 104,000 employees, contractors, and others associated with the Department of Energy, along with information on almost 2,000 bank accounts); “HealthCare.gov targeted ‘about 16 times’ by cyberattacks, DHS official says,” NBCNews.com (Nov. 13, 2013), available at http://www.nbcnews.com/news/investigations/healthcare-gov-targeted-about-16-times-cyberattacks-dhs-official-says-v21440068.
[5] For example, on December 9, 2013, the Financial Stability Oversight Council held a meeting to discuss cybersecurity threats to the financial system. See U.S. Department of the Treasury Press Release, Financial Stability Oversight Council (FSOC) to Meet December 9 (Dec. 2, 2013), available at http://www.treasury.gov/press-center/press-releases/Pages/jl2228.aspx. During that meeting, Assistant Treasury Secretary Cyrus-Amir-Mokri said that “[o]ur experience over the last couple of years shows that cyber-threats to financial institutions and markets are growing in both frequency and sophistication.” See U.S. Department of the Treasury Press Release, Remarks of Assistant Secretary Cyrus Amir-Mokri on Cybersecurity at a Meeting of the Financial Stability Oversight Council (Dec. 9, 2013), available at http://www.treasury.gov/press-center/press-releases/Pages/jl2234.aspx. In addition, in testimony before the House Financial Services Committee in 2011, the Assistant Director of the FBI’s Cyber Division stated that the number and sophistication of malicious incidents involving financial institutions has increased dramatically over the past several years and offered numerous examples of such attacks, which included fraudulent monetary transfers, unauthorized financial transactions from compromised bank and brokerage accounts, denial of service attacks on U.S. stock exchanges, and hacking incidents in which confidential information was misappropriated. See Testimony of Gordon M. Snow, Assistant Director, Cyber Division, Federal Bureau of Investigation, before the House Financial Services Committee, Subcommittee on Financial Institutions and Consumer Credit (Sept. 14, 2011), available at http://www.fbi.gov/news/testimony/cybersecurity-threats-to-the-financial-sector.
[6] See Rohini Tendulkar, “Cyber-crime, securities markets and systemic risk,” Joint Staff Working Paper of the IOSCO Research Department and World Federation of Exchanges (July 16, 2013), available at http://www.iosco.org/research/pdf/swp/Cyber-Crime-Securities-Markets-and-Systemic-Risk.pdf. Forty-six securities exchanges responded to the survey.
[7] On October 13, 2011, staff in the Commission’s Division of Corporation Finance (Corp Fin) issued guidance on issuers’ disclosure obligations relating to cybersecurity risks and cyber incidents. See SEC’s Division of Corporation Finance, CF Disclosure Guidance: Topic No. 2—Cybersecurity (“SEC Guidance”) (Oct. 31, 2011), available at http://www.sec.gov/divisions/corpfin/guidance/cfguidance-topic2.htm. Among other things, this guidance notes that securities laws are designed to elicit disclosure of timely, comprehensive, and accurate information about risks and events that a reasonable investor would consider important to an investment decision, and cybersecurity risks and events are not exempt from these requirements. The guidance identifies six areas where cybersecurity disclosures may be necessary under Regulation S-K: (1) Risk Factors; (2) Management’s Discussion and Analysis of Financial Condition and Results of Operation (MD&A); (3) Description of Business; (4) Legal Proceedings; (5) Financial Statement Disclosures; and (6) Disclosure Controls and Procedures. The SEC Guidance further recommends that material cybersecurity risks should be disclosed and adequately described as Risk Factors. Where cybersecurity risks and incidents that represent a material event, trend or uncertainty reasonably likely to have a material impact on the organization's operations, liquidity, or financial condition—it should be addressed in the MD&A. If cybersecurity risks materially affect the organization’s products, services, relationships with customers or suppliers, or competitive conditions, the organization should disclose such risks in its description of business. Data breaches or other incidents can result in regulatory investigations or private actions that are material and should be discussed in the Legal Proceedings section. Cybersecurity risks and incidents that represent substantial costs in prevention or response should be included in Financial Statement Disclosures where the financial impact is material. Finally, where a cybersecurity risk or incident impairs the organization's ability to record or report information that must be disclosed, Disclosure Controls and Procedures that fail to address cybersecurity concerns may be ineffective and subject to disclosure. Some have suggested that such disclosures fail to fully inform investors about the true costs and benefits of companies’ cyber security practices, and argue that the Commission (and not the staff) should issue further guidance regarding issuers’ disclosure obligations. See Letter from U.S. Senator John D. Rockefeller IV to Chair White (Apr. 9, 2013), available at http://www.commerce.senate.gov/public/?a=Files.Serve&File_id=49ac989b-bd16-4bbd-8d64-8c15ba0e4e51.