SEC's Expanded Cybersecurity Guidance Focuses on Insider Trading, Internal Controls
The document released Wednesday is the first guidance to be issued on cybersecurity disclosure by SEC commissioners, and comes six years after the agency's staff issued a more limited guidance in 2011.
February 21, 2018 at 06:32 PM
4 minute read
SAN FRANCISCO — The Securities and Exchange Commission in new guidance Wednesday urged public companies to guard against insider trading before cybersecurity breaches are disclosed and to ensure there are clear internal procedures in place to determine when a hack might be “material” to investors.
The 24-page guidance, formally adopted Tuesday, is the first to be issued on cybersecurity by the SEC commissioners. The SEC staff issued a shorter guidance document in 2011 focusing primarily on how companies should disclose cyber risks and incidents, and how threats might affect their financials. The new guidance underscores how critical cyber infrastructure has become to modern business, comparing it to “the importance of electricity and other forms of power in the past century.”
“There is no doubt that the cybersecurity landscape and the risks associated with it continue to evolve,” SEC chairman Jay Clayton said in a statement announcing the guidance's release. He added that he has tasked the agency's Division of Corporate Finance “to carefully monitor cybersecurity disclosures as part of their selective filing reviews.”
“We will continue to evaluate developments in this area and consider feedback about whether any further guidance or rules are needed,” Clayton added, hinting at the possibility of new cyber breach disclosure regulations further down the road.
Keir Gumbs, a partner at Covington & Burling and a former SEC lawyer, said he was disappointed the guidance does not give more clarity about how to determine when a cyber breach is material — or provide any kind of safe harbor for companies that make good-faith determinations about the scope of a breach that later turn out to be incorrect.
“In every case that I've ever worked on, the initial assessment is wrong. You always think the cyber breach is smaller than it is,” Gumbs said in an interview. “From a practical perspective, I don't think the landscape has changed very much by this guidance.”
The guidance comes roughly a half-year after the credit reporting agency Equifax disclosed last September it had suffered a massive data breach, reportedly resulting in the leak of personal data on some 145 million people.
In the wake of that debacle, it emerged that a number of Equifax executives had sold stock before the hack became public. The company's board later cleared those executives of insider trading suspicions, concluding they were not aware of the data breach when they made the trades.
The SEC's new guidance prods companies to consider “prophylactic measures” to guard against trading by company officers on the basis of non-public information about a data breach, such as restricting trading while a hack is being investigated.
“We believe that companies would be well served by considering how to avoid the appearance of improper trading during the period following an incident and prior to the dissemination of disclosure,” the document adds.
The SEC doesn't indicate that it expects more frequent disclosures by public companies. But it does make clear that it wants registrants to spell out internal procedures for determining when a cyber incident is serious enough that investors must be informed, and involve their boards in providing oversight on cybersecurity issues.
“Companies should assess whether they have sufficient disclosure controls and procedures in place to ensure that relevant information about cybersecurity risks and incidents is processed and reported to the appropriate personnel, including up the corporate ladder, to enable senior management to make disclosure decisions,” the guidance says.
Determining exactly what kinds of cyber information should be disclosed, however, is still a highly subjective process, according to the document.
The guidance says the SEC would consider cybersecurity information to have been omitted “if there is a substantial likelihood that a reasonable investor would consider the information important,” or if it would have “significantly altered the total mix of information available.” The agency, at the same time, said it does not want companies to disclose technical information that could offer hackers a “roadmap” for how to breach their systems.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View All
Court rejects request to sideline San Jose State volleyball player on grounds she’s transgender
4 minute read
Stock Trading App Robinhood Hit With Privacy Class Action 1 Month After Alleged Data Breach
Justices Seek Solicitor General's Views on Music Industry's Copyright Case Against ISP
Trending Stories
- 1A Meta DIG and Its Nvidia Implications
- 2Deception or Coercion? California Supreme Court Grants Review in Jailhouse Confession Case
- 3State Bar of Georgia Presents Access to Justice Pro Bono Awards
- 4Tips For Creating Holiday Plans That Everyone Can Be Grateful For
- 5Red Tape, Talent Wars & Pricey Office Space Greet Firms Entering Saudi Arabia
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250
