SEC (Securities and Exchange Commission) Holds Cybersecurity Roundtable
On March 26, 2014, the SEC held the Cybersecurity Roundtable in light of growing concerns regarding cybersecurity. The focus of the roundtable was to advise the SEC, the industry, other government agencies, and the private sector of the cybersecurity risks and the strategies to address such risks. The roundtable was divided into four panels: (i) Cybersecurity Landscape, (ii) Public Company Disclosure, (iii) Market Systems, and (iv) Broker-Dealers, Investment Advisers, and Transfer Agents. While each panel focused on specific questions regarding cyber threats and security concerns, many themes permeated throughout each panel’s discussion.
Panelists generally agreed that cybersecurity is one of the primary risks for businesses today and noted that businesses should evaluate external, including risks posed by third party service providers, as well as internal, cybersecurity risks. When discussing what actions the SEC should take in response to these threats, the panelists largely believed that the SEC should issue principles-based guidance rather than crafting rules that attempt to address all industries. They noted that such rules may not be effective given that one solution does not apply to all scenarios and that, due to swift technology advancements, any rules may likely be antiquated not long after adoption. Several panelists did note, however, that the SEC should encourage information sharing among registrants and among other regulatory agencies.
The role of the board of directors was another theme that arose in several panel discussions. Participants repeated that the board’s role is one of oversight, and subject-matter expertise regarding cybersecurity is not required. In fact, they noted that board members who are generalists are better suited to address a variety of business issues. To fulfill their oversight role, boards should be kept apprised of information and should ask meaningful questions regarding a company’s preventive actions.
Finally, panelists also acknowledged that developing procedures for identifying areas of enterprise-wide, potential risks and establishing response methods are the best ways to prepare a company for future cyber-attacks. Some panelists even recommended conducting cyber-attack simulations and involving senior management in those simulations.
While the staff did not indicate that additional rulemaking in response to the roundtable was imminent, as noted above under "SEC Examiners to Review Asset Managers Cybersecurity Defenses," the SEC is moving ahead on reviewing and scrutinizing asset managers’ preventative cybersecurity policies and procedures. The SEC is accepting comments regarding issues addressed at the roundtable until May 2, 2014.
Source: Investment Company Institute Memorandum Regarding Summary of the SEC’s March 26 Cybersecurity Roundtable (March 28, 2014).