SEC Releases new Guidelines for Cybersecurity Risk Disclosures

The SEC closes the stable door after the horse has bolted.

The U.S. Securities and Exchange Commission on Wednesday updated guidance to public companies on how and when they should disclose cyber security risks and breaches, including potential weaknesses that have not yet been targeted by hackers.

The guidance also said company executives must not trade in a firm’s securities while possessing nonpublic information on cyber security attacks. The SEC encouraged companies to consider adopting specific policies restricting executive trading in shares while a hack is being investigated and before it is disclosed.

The SEC, in unanimously approving the additional guidance, said it would promote “clearer and more robust disclosure” by companies facing cyber security issues, according to SEC Chairman Jay Clayton, a Republican.

Democrats on the commission reluctantly supported the guidance, describing it as a paltry step taken in the wake of a raft of high-profile hacks at major companies that exposed millions of Americans’ personal information. They called for much more rigorous rulemaking to police disclosure around cyber security issues, or requiring certain cyber security policies at public companies.

Commissioner Robert Jackson said the new document “essentially reiterates years-old staff-level views on this issue,” and pointed to analysis from the White House Council of Economic Advisers that finds companies frequently under-report cyber security events to investors.

“It may provide investors a false sense of comfort that we, at the Commission, have done something more than we have,” Commissioner Kara Stein, another Democrat, said in a statement.

The SEC first issued guidance on cyber disclosures in 2011. There has since been a surge in breaches, including one at the SEC itself.  The agency announced in September that its EDGAR corporate filing system was hacked 2016 and may have been used for insider trading.  The matter is under review.

The new guidance will mean an increase in information disclosed on cyber attacks and risks!

Uber paid off a hacker and failed to disclose a massive data breach promptly. Intel (NASDAQ:INTC) was criticized for lack of transparency related to its Spectre and Meltdown chip flaws.  Equifax (NYSE:EFX) waited months to announce its breach, failed to reveal the depth of the attack, and raised questions when execs dumped shares before the hack was disclosed.

Source:  Reuters