Corporate governance and cybersecurity
Credit to Author: KELVIN LESTER LEE | Date: Tue, 03 Sep 2019 17:27:46 +0000
I am reproducing below edited excerpts of my short keynote speech during the recent SEC Cybersecurity Briefing. My keynote touched on what I believe is a timely topic: the interconnection between corporate governance and cybersecurity. I hope you will allow me to use this column to elaborate.
Now, before I begin, let me just give the standard disclaimer: the views I express here are my own and do not reflect the views of the Commission, my fellow Commissioners, or the Securities and Exchange Commission (SEC)’s Staff.
Although it already seems like a lifetime ago, I was only recently appointed as a SEC Commissioner in January 2019 and assumed office in February 2019, and a new commissioner recently took his oath to join us at the en banc. Anyway, it’s been a privilege to serve and an amazing experience so far—especially since I have the honor and privilege to work side by side with the talented and hardworking Staff of the SEC.
Now, when I got to the commission, I was assigned oversight over two departments which I did not believe, at that time, could be connected in any way: Corporate Governance and Finance Department and the Information and Communications Technology Department. However, after a little over six months in the job, I realize this is not the case. It turns out I am in a unique position, as I am in the intersection between corporate governance and information and communications technology, which has given me a unique perspective to discuss the topic on cybersecurity.
And so, with that background, I wanted to discuss today what I think is a most pressing issue in corporate governance: the rising cyber threat and the need for board-level involvement with a company’s cybersecurity. Make no mistake, cybersecurity is a corporate governance issue. It should not be treated separately or as a mere checkbox in this day and age of increasing technological advances and security risks.
As anyone who spends time in the business world knows, digital transformation and developments have had a substantial impact on all business models, resulting in productivity increases and costs reduction. With the use of various technological innovations, including, but not limited to, computer processing, cloud computing, smart devices and the like, data usage among business models makes the process faster, efficient, effective and cheaper, and at the same time, helps them gain a competitive edge and keep pace with their competitors.
And as I am sure you are all aware as well, there has never been a more critical time for companies and institutions when it comes to cyber threats. In a time where even tech giants, such as Facebook, are being penalized, heavily, by regulators in different jurisdictions for data breaches and where cyber-attacks cost an estimated $575 billion dollars per year, it should come as no surprise that cybersecurity is now, or should be, on the mind of every board director.
This, however, raises the question, “Is cybersecurity considered a corporate governance issue?” My answer to that is a resounding YES.
Boards play a major role in maintaining good governance within the corporation – it is their mandate and responsibility to protect the corporation, its shareholders, employees and stakeholders against risk management issues including potential and existing cyber breaches and threats, through the issuance of corporate measures/resolutions to that effect. Aside from that, it is the fiduciary duty of the board of directors to ensure that these measures, in the form of secured internal controls and IT testing on a regular basis, are being met since cyber breaches can impose a serious legal liability for corporations.
In that light, I would suggest that we, at the SEC, need to step in. SEC needs to consider issuing guidelines or regulations directed towards companies regarding their cybersecurity, in particular, regulating public companies who have a duty to disclose and to publicly-listed companies (PLCs) where any data breach could affect their share prices in the stock market.
This would not be unprecedented. The US SEC, in 2018, issued what they call a “Guidance” for public companies on cybersecurity-related disclosures. That guidance communicates the US SEC’s view on the importance of maintaining comprehensive policies and procedures related to cybersecurity risks and incidents.
ASIC, (the Australian Securities and Investments Commission), on their website, has also emphasized the need for cybersecurity strategy and governance. Specifically, ASIC provided regulatory resources in relation to cyber resilience good practices. Good Practice Number 1 specifically mentioned board engagement and that the board shall take ownership of the cyber strategy.
In short, securities and company regulators, such as ourselves at the SEC, can and should do more when it comes to regulating cybersecurity. It would send a strong message to the business world that cybersecurity is an important issue, and needs to be specifically addressed.
Besides, and please correct me if I am wrong, I do not believe there are comprehensive regulations specifically requiring companies to disclose their cybersecurity measures and requiring board directors to take a more pro-active role towards cybersecurity. A right word from us at the SEC, a little nudge here and there, by way of such rules, can help make more companies more secure against cyber-threats, which would be good not only for the company but also for the capital market and the economy as a whole.
Let me end by quoting another SEC commissioner, Commissioner Robert J. Jackson Jr. of the US SEC, who also advocates that cybersecurity is a corporate governance matter: “Yes, new rules and regulations can help push companies toward cyber resiliency. The cyber threat is not primarily a regulatory issue any more than it is primarily a technological issue. Cybercrime is an enterprise-level risk that will require an interdisciplinary approach, significant investments of time and talent by senior leadership and board-level attention.”
With that, I hope I have given you all something to think about it when it comes to corporate governance and cybersecurity. Rest assured that we, at the Commission, are working hard to enact changes that will be good for the business sector, the general public and the country. Thank you.
Kelvin Lester K. Lee is a Commissioner of the Securities and Exchange Commission (SEC). He is the co-chairperson of the SEC Committee on Memorandum Circulars To Operationalize Revised Corporation Code Provisions. The views and opinions stated herein are his own. You may email your comments and questions to oclee@sec.gov.ph