New SEC guidance requires companies to disclose more information in the event of a cyberattack

On Wednesday, February 21, the US Securities and Exchange Commission (SEC) updated its guidance on cybersecurity risk and breach notifications. Public companies are now expected to report on vulnerabilities that could potentially expose them to criminal hackers. In addition, covered entities must:

  • Not trade in a firm’s securities while possessing nonpublic information on cyber attacks
  • Consider adopting specific policies that restrict executives from share trading during data breach investigations and before details are disclosed

The SEC acknowledged that, since issuing its first cyber disclosure guidance in 2011, there has been a surge in data breaches, including one at the SEC itself in 2016.

Insider trading concerns stem from the Equifax 2017 data breach, during which several executives sold shares between the breach discovery and its disclosure. Despite this, an Equifax board review found no wrongdoing.

Craig A. Newman, a partner with Patterson Belknap Webb & Tyler LLP, said that the new guidelines “[make] clear that [the SEC] doesn’t want a repeat of the Equifax situation.”

Spencer Feldman, an attorney with Olshan Frome Wolosky LLP, said the update essentially “creates a mandatory new disclosure category – cyber security risks and incidents.”

Democrats are split on the SEC’s new guidance

Democratic National Committee (DNC) members on the commission supported the guidance, but with reluctance. They suggested it was a paltry step that failed to address the need for more stringent regulations, in light of high-profile hacks at major companies that exposed the personal information of millions of Americans. Democrats are demanding more rigorous rulemaking to enforce data breach disclosure. At the very least, they want public companies to ensure certain cybersecurity policies are in place.

Commissioner Robert Jackson downplayed the new guidance, saying it “essentially reiterates years-old staff-level views on this issue.” He cited the White House Council of Economic Advisers’ findings that companies tend to under-report cybersecurity events to investors.

Take adequate steps to ensure your organization is protected from cyber attacks

As regulations become more stringent, requiring increased reporting on cybersecurity risk events, it is important your organization is prepared. Cybersecurity threats are increasing and becoming more sophisticated, and organizations must be able to manage information security risk and protect individuals’ privacy.

An organization’s cybersecurity begins with its employees and awareness courses are an effective way to train them on their roles and responsibilities. Classroom employee awareness courses can be costly and time consuming, but IT Governance’s hassle-free eLearning courses can ease the burden. Learn more about eLearning courses at IT Governance.