RSA 2015: Experts talk investor interest in cybersecurity, regulatory changes on horizon
Financial experts discussed complex disclosure expectations among investors.
Smeeta Ramarathnam, the chief of staff to SEC Commissioner Luis Aguilar, told a group of security and legal experts in San Francisco that the Securities and Exchange Commission (SEC) is about to “enter a “time of great change” as it pertains to regulation for disclosing cyber security incidents.
During a Thursday morning panel at RSA Conference 2015, called “Full Disclosure: What Companies Should Tell Investors about Cyber Incidents,” Ramarathnam, along with Jonas Kron, director of shareholder advocacy with Trillium Asset Management, discussed the growing concerns and sense of responsibility board of directors face in the wake of high-profile breaches, which will indelibly engage investors' attentions.
“Hardly a day goes by without another breach being reported,” Ramarathnam said, explaining that the SEC is tasked with formally overseeing security incidents or issues that would impact the integrity of market systems, customer data protection and disclosure of material information.
While the SEC's Division of Corporation Finance published guidance in 2011 to make companies aware of the agency's views on what needs to be reported as far as material information disclosure related to cyber incidents, Ramarathnam noted that the guidance provided context for current SEC rules, but no new regulatory obligations for organizations.
He added that the SEC is currently aiming to improve its inspections and investigations by leveraging data analystics more often, not just in cybersecurity incidents, but for regulatory matters in general.
Trillium's Kron also gave pointed insight on how investor interests are often diversified, meaning they've invested in multiple companies so are interested in how the larger market (and not one sector or firm) will be impacted by evolving cyber threats.
Though investors want to be assured that adequate security measures and response efforts are in place at companies in which they hold a stake, they typically aren't expecting to receive granular information on day-to-day activities or threat alerts, Kron explained.
“In some ways, what we want is good information, not fast information,” Kron said of investors.