The Securities and Exchange Commission (SEC) Commissioner Kara Stein said the market regulator may need to begin issuing rules to ensure that public companies and the financial markets are adequately safeguarding investor information.
“We need to think more comprehensively about the cyber wars going on,” Stein said in a Sept. 27, 2018, speech in Atlanta. “All need to up their game to protect our critical systems, personal data and economy from cyber threats. Tepid responses from government and businesses are invitations that cybercriminals simply cannot ignore.”
Stein’s direct reference was to the guidance the SEC published in February in Release No. 33-10459, Commission Statement on Guidance and Public Company Cybersecurity Disclosures. The release updated the 2011 guidance in Disclosure Guidance: Topic No. 2, Cybersecurity, and, in part, addressed concerns that the 2011 document had become outdated because of the technology sector’s rapid change. She echoed criticisms she lodged when Release No. 33-10459 was published, noting that it was too limited in its scope and in the obligations it expects from public companies.
Stein said much of the responsibility for protecting the financial markets and U.S. businesses lies with boards of directors. She cited the requirement from the Sarbanes-Oxley Act of 2002 that boards have at least one financial expert on their audit committees and said it should serve as a guide of sorts for how boards deal with cybersecurity. Stein stopped short of supporting a clear requirement that the boards have cybersecurity experts, and she does not foresee boards taking over the daily supervision of computer security. But she supports a more rigorous interaction with management.
“Independent directors should meet with the company’s Chief Information Security Officer at least twice annually in executive session, without members of management present, so that they can have open, frank and meaningful discussions about culture, tone and the resources dedicated to both prevention and resiliency,” Stein said.
Stein also called for modernization of a number of rules the SEC has issued in the past two decades to safeguard the markets and personal privacy.
Stein cited the rules the agency adopted in 2000 in Release No. 34-42974, Privacy of Consumer Financial Information (Regulation S-P), which limited financial institutions’ ability to disclose consumers’ personal information. In Stein’s view the rules, which require financial institutions to have written policies for protecting customer information against hackers and other computer threats, are too narrowly written because they do not actually require the protection of customer information or require investors to be notified when their files have been hacked.
Release No. 34-73639, Regulation Systems Compliance and Integrity (SCI), the 2014 rule that requires stock exchanges and clearinghouses to have procedures for securing their systems is due for an update, Stein said. The SEC needs to ensure that more market participants, including brokers and investment advisers, are protecting customer information through strengthened versions of Regulation SCI and the consumer privacy rules adopted in 2000.
Stein also said the completion of the stock market’s trade reporting system mandated by the 2012 rule in Release No. 34-67457, Consolidated Audit Trail, was a necessary piece of improving the financial markets’ protections from hacking and other threats from the misuse of technology.
For more information on this topic, or to learn how Baker Tilly SEC accounting specialists can help, contact our team.
We have partnered with Thomson Reuters to issue our monthly SEC accounting insights. Please feel free to contact Baker Tilly at firstname.lastname@example.org if you have any questions related to these articles or Baker Tilly's Accounting and Assurance Services. © 2018 Thomson Reuters/Tax & Accounting. All Rights Reserved.