The U.S. Securities and Exchange Commission (SEC) put public companies on warning that they need to get better about how and when they disclose not just breaches but material cyber risks to investors. The instructions were part of an updated guidance on breach disclosure from the SEC meant to protect investors and bring greater clarity to what the regulatory board expects from public companies when it comes to how they handle information security transparency.
Among the main points brought home by the SEC was that it would put particular scrutiny on trading done by insiders with any knowledge of breaches, vulnerabilities or other risks not known by the public. This hits home to a lot of cybersecurity pundits who have followed claims of insider trading by executives both at Equifax and Intel before major lapses in security at each company were made public.
In the case of Equifax, four executives--including the firm's CFO-- sold $1.8 million worth of stock in the window between when the company learned of its massive breach last summer and when it disclosed the breach to the public. The company's board cleared the executives in an internal investigation that they say found the individuals to have no direct knowledge of the event prior to the sales. Meanwhile, the U.S. Department of Justice opened up its own investigation of the matter in the fall.
More recently, Intel's CEO Brian Krzanich came under heavy fire last month when it became known that he sold $39 million in company stock with the news of the massive Meltdown and Spectre vulnerabilities looming internally but still hidden from public knowledge.
"The stock sale raised eyebrows when it was disclosed, primarily because it left Krzanich with just 250,000 shares of Intel stock – the minimum the company requires him to hold under his employment agreement," wrote Troy Wolverton of Business Insider.
The SEC wants to put the kibosh on even the semblance of impropriety in the future by urging executives to forbear any stock sell-offs during cyber security investigations.
"Directors, officers, and other corporate insiders must not trade a public company’s securities while in possession of material nonpublic information, which may include knowledge regarding a significant cybersecurity incident experienced by the company," the guidance directed.
Overall, the SEC guidance makes clear that its commissioners expect greater transparency from companies when a breach or a cyber risk is material to an investor--in other words if they think it'll devalue the company's worth. This discussion will have the lawyers busy tying lingual knots over which risks do and do not have materiality, but the overall gist is that public companies need to do better about programmatically addressing cyber risk, about getting the board involved in managing these risks and with balancing technical secrets with transparency when it comes to keeping investors clued in about changes in the company's cyber risk exposure.
is putting a finer point on when and how public companies need to disclose cyber risks and breaches.
"Going forward, it seems clear that the Commission is likely to pay greater attention to board involvement in cybersecurity risk and incident oversight generally," says Edward McAndrew of Ballard Spahr LLP in its CyberAdviser privacy and data security law blog. "As with other regulators, we also expect greater scrutiny of the investigations that follow the discovery of incidents, and the timeliness and accuracy of disclosures relating to such incidents."
For now the SEC has had a pretty light touch enforcing activity when it comes to breach disclosure or insider trading following a breach announcement, even though this latest guidance is just an update of a previous guidance that's nearly seven years old. But many in the security law field say this latest announcement could signal stronger oversight in the future.
"While the SEC has not yet promulgated express mandatory disclosure requirements specifically related to cyber risk or cyber matters, it again issued non-binding guidance and has taken several steps to increase cybersecurity oversight in recent months," explained Scott Lashway, Christopher Cwalina and Kaylee Cox for the firm Holland & Knight.
In fact, some commissioners are going to try to push for more stringent and detailed guidance if they can help it. While this latest update was passed unanimously, certain commissioners said they only gave their 'yea' begrudgingly, disappointed in the fact that the guidance didn't go far enough for their tastes.
"Ultimately, the step the Commission took with respect to cybersecurity risks and incidents should only be its first," wrote Commissioner Kara Stein in a public statement on the guidance's publication. "There is so much more we can and should do. I hope we will proceed accordingly for the good of investors, public companies, and our capital markets."