SEC updates guidance on disclosing cyber breaches

by Morgan Chalfant - 02/21/18 3:33 PM ET

Wall Street’s top regulator on Wednesday released updated guidance on how public companies should go about disclosing cybersecurity breaches and “risks” to the public.

The Securities and Exchange Commission’s (SEC) new guidance says companies should inform investors about cybersecurity risks, even if they have not yet been targeted by hackers in a cyberattack.

{mosads}

It also stresses that companies publicly disclose breaches in a timely fashion, and instructs firms to take steps to prevent executives and others with previous knowledge of a breach from trading in its securities before the information is made public.

The new guidance comes after credit reporting firm Equifax attracted massive scrutiny in Washington and across the country for a breach that impacted more than 145 million American consumers. Equifax discovered the breach internally at the end of July but did not publicly disclose it until September.

The company has also been scrutinized over reports that top executives sold shares in the company in the days after the breach was discovered. The company has cleared the employees of wrongdoing, saying that an internal investigation revealed they had no knowledge of the breach when they made the trades.

SEC Chairman Jay Clayton said Wednesday he hopes the updated guidance “will promote clearer and more robust disclosure by companies about cybersecurity risks and incidents, resulting in more complete information being available to investors.”

“In particular, I urge public companies to examine their controls and procedures, with not only their securities law disclosure obligations in mind, but also reputational considerations around sales of securities by executives,” Clayton said.

The so-called interpretive guidance released Wednesday states that it is “critical that public companies take all required actions to inform investors about material cybersecurity risks and incidents in a timely fashion, including those companies that are subject to material cybersecurity risks but may not yet have been the target of a cyber-attack.”

“Where a company has become aware of a cybersecurity incident or risk that would be material to its investors, we would expect it to make appropriate disclosure timely and sufficiently prior to the offer and sale of securities and to take steps to prevent directors and officers (and other corporate insiders who were aware of these matters) from trading its securities until investors have been appropriately informed about the incident or risk,” the updated guidance states.

The SEC voted to approve the guidance on Tuesday, according to the statement.

The commission attracted its own scrutiny on Capitol Hill in late September, after Clayton revealed that hackers breached the SEC’s corporate filing system known as EDGAR in 2016 by exploiting a software vulnerability.

Clayton, who was confirmed last May to lead the SEC under the Trump administration, has pledged to make cybersecurity a top issue.