Skip to main content
Feb 22, 2018

Stein urges SEC action on cyber-risk disclosure

Commissioner suggests introducing rules to require disclosure of firms’ enterprise-wide consideration of cyber-risks

SEC commissioner Kara Stein has called for her agency to boost corporate disclosures about the risks issuers face in the cyber-security arena, and has taken a swipe at dual-class share structures.

‘We at the commission have not yet adequately pressed forward. While the commission’s staff have released disclosure guidance for public companies to consider when dealing with cyber-risks and breaches, the commission can and should do more,’ Stein says in a recent speech.

She argues that the commission should consider introducing rules that would require disclosure of a firm’s enterprise-wide consideration of cyber-risks. The commission should also develop rules to ensure market intermediaries, including broker-dealers and investment advisers, develop and implement policies and procedures to protect investors’ personal information, Stein adds.

She notes that shareholders are advocating – often via governance proposals – for companies to release more information about their cyber-security practices: ‘But good information remains scarce. Unfortunately, corporate disclosures are far from robust and largely consist of boilerplate language that fails to provide meaningful information for investors.’

Companies and shareholders agree cyber-security is one of the most important corporate issues, but it is unclear why companies are not doing more to implement robust cyber-security frameworks and provide useful disclosures regarding the risk of data loss, Stein says. The problem, she suggests, is that companies tend to view cyber-threats as a technology problem rather than a business risk.

‘As we have seen time and time again, cyber-security, and the related threats of unintentional loss of data, is a governance challenge for all of us, and it requires a change in culture and approach,’ she adds. ‘Cyber-security has been viewed by many as simply an IT problem, hoisted on the shoulders of a company’s chief information officer. Too often, this has led to a failure to integrate cyber-security into a firm’s enterprise risk-management framework.

‘To be sure, some companies are focused on cyber-threats and recognize their potential economic threat. But companies need to do more than simply recognize the problem. They need to heed the calls of their shareholders and treat cyber-threats as a business risk.’

Elsewhere in the speech, Stein addresses the issue of dual-class share structures – which fellow commissioner Robert Jackson also discussed publicly last week, arguing that keeping them in place permanently goes against US values by creating ‘corporate royalty.’

Similarly, Stein in her speech describes dual-class structures as ‘inherently undemocratic, disconnecting the interests of a company’s controlling shareholders from its other shareholders.’ This disassociation of interests can grow over time when certain shareholders, but not others, have the right to vote over fundamental corporate matters such as board matters, she argues.

She notes that such arrangements are prohibited in some countries, but adds that ‘we are still inexplicably letting dual-class share structures persist. While some say dual-class capital structures are designed to prevent a takeover or shareholder activism, they also may provide a means to evade management and board accountability.

‘Structures where a minority of insiders lock out the interests and rights of the majority may also have collateral effects on our capital markets. They may be harmful not just for those companies, their shareholders and their employees, but also for the economy as a whole.’

Ben Maiden

Ben Maiden is the editor-at-large of Governance Intelligence, an IR Media publication, having joined the company in December 2016. He is based in New York. Ben was previously managing editor of Compliance Reporter, covering regulatory and compliance...