The Securities and Exchange Commission wants companies to be more transparent about the way they handle data breaches.
On Wednesday, the financial regulator issued an updated guidance regarding expectations that companies must meet in disclosing cybersecurity vulnerabilities and hacking incidents. The SEC document is nonbinding, but it outlines the bare minimum that companies must do to avoid legal trouble.
The unanimously approved guidance details the ways public companies ought to be transparent with investors and other stakeholders when it comes to cyber risks. The memo tells companies to disclose information about incidents or vulnerabilities in a timely manner.
In addition, the guidance addresses the issue of company officers selling shares before publicly disclosing a known cybersecurity incident. This was an issue which clouded the recent publication of two critical microchip flaws affecting Intel, AMD and ARM.
“Given the frequency, magnitude and cost of cybersecurity incidents, the Commission believes that it is critical that public companies take all required actions to inform investors about material cybersecurity risks and incidents in a timely fashion, including those companies that are subject to material cybersecurity risks but may not yet have been the target of a cyber-attack,” the 24-page statement says.
The memo also reminds companies that if their employees sell shares after learning of a risk or breach but before the issue is publicly disclosed, it is considered illegal insider trading.
“[I]nformation about a company’s cybersecurity risks and incidents may be material nonpublic information, and directors, officers, and other corporate insiders would violate the antifraud provisions if they trade the company’s securities in breach of their duty of trust or confidence while in possession of that material nonpublic information,” the guidance says.
Notably, the guidance states that the presence of an ongoing internal investigation should not preclude a company from informing its investors of a breach. The mention is significant because compromised companies have in the past kept their incidents secret, citing the need for confidentiality due to a law enforcement investigation.
Several recent breaches have raised questions about how forthcoming companies have been in their public responses. In the case of the Equifax breach that exposed the personal data of about 145.5 million Americans, three company executives sold shares worth a collective $2 million just days after the breach was discovered, but more than a month before it was disclosed.
“I believe that providing the Commission’s views on these matters will promote clearer and more robust disclosure by companies about cybersecurity risks and incidents, resulting in more complete information being available to investors,” said SEC Chairman Jay Clayton in a press release. “In particular, I urge public companies to examine their controls and procedures, with not only their securities law disclosure obligations in mind, but also reputational considerations around sales of securities by executives.”