The U.S. Securities and Exchange Commission (SEC) on Wednesday announced updated guidance on how public companies should handle the investigation and disclosure of data breaches and other cybersecurity incidents.
The SEC has advised companies to inform investors in a timely fashion of all cybersecurity incidents and risks – even if the firm has not actually been targeted in a malicious attack. The agency also believes companies should develop controls and procedures for assessing the impact of incidents and risks.
While directors, officers and the people in charge of developing these controls and procedures should be made aware of security risks and incidents, the SEC believes these individuals should refrain from trading securities while in possession of non-public information regarding a significant cybersecurity incident.
“Public companies should have policies and procedures in place to (1) guard against directors, officers, and other corporate insiders taking advantage of the period between the company’s discovery of a cybersecurity incident and public disclosure of the incident to trade on material nonpublic information about the incident, and (2) help ensure that the company makes timely disclosure of any related material nonpublic information. In addition, we believe that companies are well served by considering the ramifications of directors, officers, and other corporate insiders trading in advance of disclosures regarding cyber incidents that prove to be material,” the SEC said.
These recommendations follow accusations of insider trading against executives at two major companies recently involved in significant cybersecurity incidents. Last year, questions were raised after four Equifax executives sold stock worth $1.8 million just prior to public disclosure of the hack affecting 145 million customers. Equifax claimed that the execs had been unaware of the breach when they sold shares.
Intel’s CEO, Brian Krzanich, faced similar accusations after it was revealed that he had sold all the stock he was legally allowed to, worth roughly $24 million, just before the Meltdown and Spectre vulnerabilities were disclosed. The chipmaker claimed Krzanich’s decision was not related to the disclosure, but some of the lawsuits filed against Intel over the flaws accuse the company of misleading investors.
“We’re all fighting a cyber arms race. However, some organizations have been operating the cyber war while being cloaked. Organizations determine if damage has been done, and how much damage has been done while not being made public. While these undisclosed investigations are being conducted to determine the extent and potential impact of an attack, it’s simply reckless and inappropriate for executives to trade equities, even if they’re on an automated plan,” said Bill Conner, CEO of SonicWall.
“It is good to see the SEC taking action, even if they are reacting on behalf of shareholders to protect them from the massive, headlining breaches that have come so frequent. There’s more to be done by the SEC with respect to cyber guidelines on disclosure and insider trading rules but, this is a solid step in the right direction,” Conner added.
The SEC’s cybersecurity incident disclosure guidance was first released in 2011 and it has now been updated to reinforce and expand previous recommendations. However, some officials, including SEC commissioners Kara Stein and Robert Jackson, believe the agency could have and should have done more.
“I reluctantly support today’s guidance in the hope that it is just the first step toward defeating those who would use technology to threaten our economy. The guidance essentially reiterates years-old staff-level views on this issue. But economists of all stripes agree that much more needs to be done,” Jackson said on Wednesday.
The SEC itself admitted last year that it was the victim of a cyberattack in 2016 that may have allowed hackers to profit through trading on non-public information obtained from its EDGAR filing system.