Companies need to align efforts at disclosure, cybersecurity: SEC attorney
- Businesses facing more stringent regulatory scrutiny of their cyber vulnerabilities need to coordinate cybersecurity employees with those responsible for exposing cyberattacks, according to Brent Wilner, senior adviser to the Securities and Exchange Commission (SEC) .
- “What you have here is a kind of disconnect between true cybersecurity experts: people who can, you know, CISOs who understand the nature of the incident, the nature of the breach, the nature of the information that has been exposed, and the people who are doing the outreach, “according to Wilner, the SEC’s chief adviser Crypto Assets and Cyber Unit.
- “Public companies need to be aware of how they can bridge this gap.” Wilner told the West Securities Enforcement Forum Thursday. “That’s really critical.”
TThe SEC, chaired by Gary Gensler, has strengthened investor protection against losses in the cryptocurrency market and mismanagement of cyber risks.
The SEC in March proposed more rigor and more detail rules for the dissemination of cybersecurity, including in-depth company reports on cyberattacks and periodic documents on cyber risk management, governance and strategy. Companies should report violations within four days.
“Consistent, comparable, and useful decision-making standards for disclosure” would “strengthen the ability of investors to assess public enterprise cybersecurity practices and incident reporting,” Gensler said before the commission approved the proposal in a vote from 3 to 1.
Gensler this month announced plans to expand the SEC’s cyber unit to 50 executors out of 30adding investigation staff lawyers, court lawyers and fraud analysts and renaming it the Crypto Assets and Cyber Unit.
The renewed implementation team will focus on investigating violations of securities law related to cryptocurrency asset offerings, exchanges and loans, as well as equity products, decentralized finance platforms (DeFi), non-expendable tokens (NFT) and stable currencies.
Since its inception in 2017, the group has moved against SEC registrants and public companies that did not limit cyber risks or disclose cyber-related risks or violations.
Wilner led the group in an investigation that culminated this month in a $ 5.5 million fine against NVIDIA for allegedly failing to disclose the impact of cryptocurrency mining on the company’s sales of graphics processing units. for two quarters of fiscal year 2018. An NVIDIA spokesman declined to comment. .
Wilner said companies targeting a cyberattack should fully disclose incidents rather than do so in public statements vaguely referring to violations as hypothetical threats.
Wilner cited the action of the SEC Cyber Unit against Pearson, a London-based educational publication provider, which last year agreed to pay $ 1 million to settle SEC charges against him. investors. a cyberattack of 2018. Hackers stole millions of Pearson records, including birth dates and email addresses, the SEC said in August.
Pearson in a semi-annual presentation to the SEC in 2019 “characterized the risk of a cyber event as hypothetical and, similarly, in another statement, characterized the type of information that could have been taken as part of the incident as hypothetical, “Wilner said.
“If you’re going to talk to the market and you’re going to characterize your cybersecurity risk, and you’re doing it in a hypothetical way when you already have information that you already have this exact risk manifesto, that’s going to lead to our concern from a disclosure perspective, “he said.