At a recent cyber security panel discussion the Securities and Exchange Commission solicited input from experts in law, business and, well, cyberspace about potential regulations around security breaches and cyber threats, as reported by Reuters news source. The SEC is wanting to increase disclosure on the parts of corporations, but some experts, like business and securities attorneys in Texas, are arguing that giving up too much information would leave companies more vulnerable to both hackers and lawsuits.
Texas is proud to be known as a “business friendly” state, inviting corporations in potential legal or regulatory trouble to resettle their companies in the Lone Star State. Without a state income tax and with looser regulations than other states, Texas may see some of its corporations experience a backlash against the SEC’s proposed regulations if implemented.
After some of the high-profile data breaches experienced by companies like Target Corp and Neiman Marcus Group, corporations have come under immense political pressure to do something about it. But so has the SEC. In some of the major public policy debates, the burden of responsibility has been hefted onto the SEC for requiring public companies to disclose more information about cyber threats to investors.
But some securities attorneys in Texas don’t think it will fly. Lawyers focusing their practices on business and securities law like Roberta Karmel in Brooklyn or Douglas Shumway in San Antonio, Texas, think the commission may be coming close to “going overboard” with additional regulations around cyber threat information disclosure.
Other expert panelists told the SEC they were worried about how going beyond current cyber security disclosures could adversely impact companies. Oversharing could open corporations up to shareholder suits and regulatory probes. “These companies are already getting conflicting requirements,” one panelist reminded the SEC, as federal law enforcement agencies like the FBI “also tell companies they cannot reveal information about cyber attacks.” This puts companies in a tight spot, and their securities attorneys in Texas aren’t happy about it.
The measures the SEC has been considering include issuing more formal commission-level guidance about security-breach protocol and taking other additional regulatory steps “to ensure that companies are disclosing more material incidents to investors.” Legislators have been toying with bills that would clarify how notifications of breaches or threats should be communicated, but so far none have passed.
Balancing the proper functioning of capital markets and legitimately protecting investors is a hard balance to strike, securities attorneys in Texas like Shumway say, and there are adamant opinions on both sides of the issue. Proponents of regulation argue that companies are better able to bear the risk, while those contending that businesses’ interests should take priority see the issue as one of capital market freedom. The SEC didn’t offer any views at the panel hearing, but one commissioner did propose a consideration for forming a task force to better address the issue.
A task force could certainly gather data and inform the SEC on relevant concerns and adverse sentiment in the corporate landscape, but it’s likely that Texas will be a hold out for a “hands off” approach.