S4 | MONDAY, JUNE 5, 2017 | Cybersecurity
| NYLJ.COM
What to Expect
From the SEC’s New Cyber-Savvy Chair
Jay Clayton testifies before the Senate Committee on Banking, Housing,
and Urban Affairs during his confirmation hearing to become the next Chairman of the U.S. Securities and Exchange Commission in Washington, D.C., in March.
BY DANIELLE C. GRAY
AND PATRICK D. McKEGNEY
W all Street lawyer and newly-confirmed Securities and Exchange Commission Chair Jay Clayton stands to be a cen-
tral figure in the nation’s awakening to cyber threats. Before his appointment, Clayton helped lead Sullivan & Cromwell’s General Practice Group, where he was known for bro- kering mergers and acquisitions. Although his views on issues of data security are less well known, Clayton co-authored an article in 2015 on the need to acknowledge “how little we understand” about cybersecurity.1 At his
DANIELLE C. GRAY, a former White House lawyer and Cabinet Secretary to President Obama, is a partner at O’Melveny & Myers in New York and a founding member of the firm’s data security and privacy prac- tice. Litigator PATRICK D. McKEGNEY is a counsel in the firm’s securities litigation group.
March confirmation hearing before the Senate Banking Committee, he offered a glimpse into his current thinking. In response to questions about potential legislation,2 Clayton wondered aloud whether today’s ordinary investor fully appreciates the cyber risks that he believes face all major companies. And when Sen. Mark Warner (D-Va.) pressed him on public com- panies’ failures to disclose significant data breaches in SEC filings, Clayton did not blink. “As I look across the landscape of discussion and understanding of cyber threats and their possible impact on companies,” he stated, “I question whether the disclosure is where it should be.”
This acknowledgement of cyber risks and the need for consistent disclosures creates an evolving landscape for publicly traded companies. While the United States lacks a principal cybersecurity regulator, the SEC has implemented regulations in its purview and has begun to penalize companies that fail to comply. As Clayton begins his tenure at the SEC, here are a few areas to keep an eye on
in the months ahead, in terms of legislation, regulatory guidance and enforcement activity.
Cybersecurity Disclosure Legislation
During his March 23, 2017 hearing, Clay- ton answered several questions about the Cybersecurity Disclosure Act, a bipartisan bill introduced earlier that month by Sens. Warner, Jack Reed (D-R.I.), and Susan Collins (R-Maine). The act directs publicly traded companies to disclose in SEC filings whether they have cybersecurity expertise on their boards. If such an expert is not in place, the company must explain why it considered the expertise unnecessary and what other steps it has taken. Although the act does not direct boards to hire a cybersecurity expert, the disclosure requirement implies that a board lacking cybersecurity expertise will face inves- tor inquiries.
For many companies, this call for increased cybersecurity expertise on boards may repre- sent a significant shift. In introducing the bill,
the senators referenced a 2016-17 National Association of Corporate Directors Public Governance Survey that found that only 19 percent of respondents believed their boards possessed a high level of cybersecurity knowl- edge, and 59 percent of respondents found it
3 challenging to oversee cyber risk.
Senator Reed asked Clayton whether he would “be sympathetic” to the legislation’s requirements. Without endorsing any particu- lar legislative proposal, Clayton reiterated his belief that cybersecurity disclosures are cur- rently inconsistent, and agreed that informed cybersecurity oversight at the board level would be relevant to investors.
Guidance on ‘Materiality’ of Risks
During his Senate testimony, Clayton was also asked about SEC guidance on the materiality of cybersecurity risks. The SEC has refrained from issuing additional cyber- security disclosure guidance since 2011, when its Division of Corporate Finance released
DIEGO RADZINSCHI/ALM