SEC Commissioner Jackson: Companies Must Quickly Disclose Data Breaches

New SEC Commissioner Robert Jackson wants greater, and more prompt, disclosure of cyber security breaches at publicly-traded companies, he said Thursday during the 30th annual Tulane Corporate Law Institute. Jackson, the two-day event’s keynote speaker, hinted that the SEC – on the heels of releasing new guidelines on reporting cyberattacks -- will need the industry to more aggressively prepare for attacks and be more forthcoming when they happen. “The cyber threat is not primarly a regulatory issue any more than it is primarily a technological issue,” Jackson said. “Cybercrime is an enterprise-level risk that will require an interdisciplinary approach, significant investments of time and talent by senior leadership and board-level attention.” Jackson’s keynote highlighted another record-setting attendance for the Tulane Corporate Law Institute – this year drawing more than 700 lawyers, bankers, judges, regulators and other M&A specialists to New Orleans to discuss emerging trends in dealmaking.  The New York Times has called the Tulane forum “the equivalent of Davos for the rainmaker set.” Jackson, formerly a leading corporate law scholar at NYU and Columbia law schools, was sworn in to fill a Democratic seat on the SEC that expires in mid-2019. He has also served as an adviser to senior officials at the Department of the Treasury and in the Office of the Special Master for TARP Executive Compensation. Prior to that government service, he practiced at Wachtell, Lipton, Rosen & Katz, where he focused on executive compensation. During Thursday’s address, Jackson acknowledged that the SEC’s guidance did not identify a specific timeline for reporting cyberattacks, instead leaving it to a company’s board to determine whether an attack merits full disclosure. As he has in past scholarly research, Jackson indicated his overriding concern was whether investors received timely – and full – disclosure. He called on corporate attorneys to make sure investors get the information they need, and to push boardrooms to follow best practices. He pointed to his staff’s research in 2017 of cybersecurity attacks at public companies that were reported to state and federal regulators.  Of the 81 that occurred, only two companies reported the breaches to investors.

“In 2017, companies that suffered data breaches chose not to file an 8K [SEC disclosure] more than 97 percent of the time,” Jackson said.

 Following the CLI, which ends Friday, Tulane Law School will host the 2nd annual Tulane Corporate Law Roundtable on Saturday, March 17, which will feature more than a dozen of the country’s top scholars in corporate and securities law. The Saturday event is organized by Ann Lipton, the Michael Fleishman Associate Professor of Business Law and Entrepreneurship and is sponsored through support from the Sher  Garner Endowed Fund for the Advancement of Commercial Law and Tulane University’s Murphy Institute. It runs from 8:30 a.m. to 5 p.m. at the John Giffen Weinmann Hall, Room 257, 6329 Freret St., and the public is welcome. The event will cover additional topics, including merger issues, corporate democracy, and enforcement of securities laws and legal aspects of diversification. The Sher Garner Endowed Fund was set up by Lee Sher (A&S '74, L '76) and Jim Garner (E '86,L '89), devoted Tulanians and founders of Sher Garner Cahill Richter Klein & Hilbert, to support an expansion of Tulane’s scholarly leadership in commercial and business law.   Annually, it underwrites lectures, roundtables and other activities devoted to the study of commercial, business and finance law.