SEC issues new guidance on cybersecurity disclosure
The Securities and Exchange Commission released new guidance calling for public companies to be more transparent regarding their cybersecurity risks—both before and after an attack.
“[T]he Commission believes that it is critical that public companies take all required actions to inform investors about material cybersecurity risks and incidents in a timely fashion,” the report states, “including those companies that are subject to material cybersecurity risks but may not yet have been the target of a cyber-attack.”
The interpretive guidance, which is a format used to clarify the SEC’s views on security laws and regulations, was built on a 2011 report on the same topic and unanimously approved by all five members of the commission.
“I believe that providing the Commission’s views on these matters will promote clearer and more robust disclosure by companies about cybersecurity risks and incidents, resulting in more complete information being available to investors,” SEC Chairman Jay Clayton said a statement. “In particular, I urge public companies to examine their controls and procedures, with not only their securities law disclosure obligations in mind, but also reputational considerations around sales of securities by executives.”
Cybersecurity and the law
A joint production of the ABA Journal and the ABA Cybersecurity Legal Task Force
Beyond urging companies to create policies to better manage cybersecurity risks and disclose breaches, the guidance also called for rules to prevent company insiders from trading stock before the public is informed of a cyber incident.
While the new report did not mention specific breaches, it comes five months after the Department of Justice, with help from the FBI and SEC, opened an investigation into insider trading by executives at Equifax, which experienced a hack exposing over 140 million records, according to Bloomberg.
Commission members Kara Stein and Robert Jackson issued separate statements lamenting the limited action taken by the SEC’s new guidance.
Calling it “far from robust,” Stein argued that the new interpretation only reiterates many of the points made by the 2011 document. Quoting a 2014 study, she says the 2011 guidance “resulted in a series of disclosures that rarely provide differentiated or actionable information for investors.”
Jackson wrote that “I reluctantly support today’s guidance in the hope that it is just the first step toward defeating those who would use technology to threaten our economy.”
Both point to numerous steps the SEC could take to be more proactive on cybersecurity issues, including the creation or improvement of incentives and penalties to motivate firms to increase their cybersecurity infrastructure, increased disclosure from companies and deeper analysis of the impact of the 2011 guidance.
The two remaining members of the commission did not release statements.