Investors pushing harder for cybersecurity solution

As SEC officials debate stronger actions to require public companies to disclose preparations for cybersecurity risks and incidents, the pressure is on institutional investors to keep pushing, industry sources said.

The Securities and Exchange Commission voted unanimously on Feb. 21 to update its 2011 guidance for public companies that aimed to tell public companies how to disclose cybersecurity risks and procedures. SEC Chairman Jay Clayton said the update "will promote clearer and more robust disclosure by companies about cybersecurity risks and incidents, resulting in more complete information being available to investors."

The update added two topics: the importance of having cybersecurity policies and procedures in place, and bans on stock trading by board members and executives after a cybersecurity incident.

For the two Democratic commissioners, Kara Stein and Robert Jackson Jr., the action was underwhelming.

"The bottom line on cybersecurity is, companies are under attack 24 hours a day, seven days a week. This is a war right now," Mr. Jackson said in an interview. He likened the SEC guidance to bringing a whiffle-ball bat to a Major League Baseball game.

Four days earlier, the White House Council of Economic Advisers raised its own alarm in a report, saying that firms are not investing enough to prevent and ​ evaluate the risk of cybersecurity attacks, and that regulators need to do more to get public companies to up their cybersecurity prevention game. In the case of public companies, the CEA found, companies lost an average 0.8% of their market value after a cyber event. Investors should be made aware of the risk, and all registered firms, including private funds, should make cybersecurity a compliance priority, the report authors said.

SEC officials said on a press call that they are keeping an open mind about possible rule-making to require cybersecurity measures be disclosed in 8-K filings, but for now they will follow events and see how the market responds. An 8-K requirement "is a possibility," Mr. Clayton said at the recent SEC Speaks conference, "but it is not on my near-term agenda."

In the meantime, Mr. Clayton said, "institutional investors are asking good questions."

Some, like New York state Comptroller Thomas P. DiNapoli, are doing a lot more. Mr. DiNapoli, the sole trustee of the $209.1 billion New York State Common Retirement Fund, Albany, agrees that the latest SEC action fell short. For starters, he wants the SEC to deny a no-action relief request by Express Scripts Holding Co. after it proposed excluding the pension fund's cyberrisk shareholder resolution from its 2018 proxy statement.

The proposal calls for the company's board to review and publicly report its cyberrisk and actions taken to mitigate that risk, within a reasonable timeframe and omitting confidential information.

"Cybersecurity is one of the most critical matters facing businesses today. This is especially true for health-care companies that hold vast amounts of private patient data," said Mr. DiNapoli, who thinks shareholders deserve more information about board oversight or actions taken to mitigate cyber risk in operations.

In an unrelated action, the New York Department of Financial Services also is stepping up cybersecurity efforts, requiring banks, insurance companies, and other financial services institutions regulated by department to have a cybersecurity program designed to protect consumers' private data, written policies and controls in place to help ensure the safety and soundness of New York's financial services industry, according to an August 2017 news release.

Mr. Jackson of the SEC thinks "there is more to come" from pension funds and other large shareholders, although "it's obviously not ideal when investors have to do it case by case," he said.

Anne Sheehan, director of corporate governance at the California State Teachers' Retirement System, West Sacramento, said that officials at the $231.6 billion pension fund "were very pleased when the commission acted," and they are now waiting to see how companies respond. "It's an issue that can have tremendous impact to the stock price. Having the imprimatur of the commission helps," she added.

"Shareholders now have to be vigilant and see what additional measures companies are going to be disclosing, and how they are managing this risk under this guidance," said Ms. Sheehan, who does expect to see some shareholder proposals to companies.

CalSTRS, which has 8,000 public companies in its portfolio, will continue to hold discussions with companies on their cyber policies and oversight of board positions on cybersecurity risks and controls. "We are watching to see how companies step up their game," said Ms. Sheehan.

"I think we've got to give it a little bit of time. If the shareholders feel they aren't getting the information, then they can come back and ask the SEC to do more," she said.

Congress is also watching. Equifax Inc.'s March 1 disclosure that it found 2.4 million more people affected by its massive data breach than initially reported prompted Sen. Elizabeth Warren, D-Mass., to call for action on legislation that she and Sen. Mark Warner, D-Va., are sponsoring. The bill would impose significant penalties for security breaches from credit-reporting agencies. Had it been in effect, Equifax would have paid at least $1.5 billion, according to a news release from Ms. Warren's office.

The pressure from regulators is real for asset managers as well, said former SEC Chairman Harvey Pitt. "They have to care, big time. For asset managers this has enormous competitive implications." His advice is "encrypt everything" and work closely with the SEC's division of investment management. "You do what you can to shore up what the government can do," said Mr. Pitt.