The U.S. Securities and Exchange Commission clarified SEC cybersecurity disclosure rules this week, which could...
have big implications for how enterprises respond to data breaches and other security incidents.
The agency released a new guidance on how publicly traded companies are expected to handle cybersecurity disclosures and investigations, especially as they relate to insider trading. The "Commission Statement and Guidance on Public Company Cybersecurity Disclosures" spells out the details of SEC cybersecurity disclosure rules. Now, security incidents and security risks are considered "material," meaning they can affect the value of the company's stock. Publicly traded companies are obligated to publicly report them and avoid trading shares before they do so.
"Given the frequency, magnitude and cost of cybersecurity incidents, the Commission believes that it is critical that public companies take all required actions to inform investors about material cybersecurity risks and incidents in a timely fashion, including those companies that are subject to material cybersecurity risks but may not yet have been the target of a cyber-attack," the SEC guidance read.
The SEC explicitly noted that such information can be considered insider knowledge, and "directors, officers, and other corporate insiders must not trade a public company's securities while in possession of material nonpublic information, which may include knowledge regarding a significant cybersecurity incident experienced by the company."
SEC Chairman Jay Clayton, in a press release, urged public companies "to examine their controls and procedures, with not only their securities law disclosure obligations in mind, but also reputational considerations around sales of securities by executives."
The new SEC cybersecurity disclosure rules come in the wake of Intel CEO Brian Krzanich's sale of company stock after the chipmaker became aware of the Spectre and Meltdown flaws, but before that news was made public. Krzanich sold $24 million worth of Intel stock in a scheduled sale that occurred on Nov. 29 of last year -- the same day Intel first informed OEM partners of the Meltdown and Spectre vulnerabilities.
Krzanich's sale isn't the only stock sale to be scrutinized recently. Last September, Bloomberg reported three Equifax executives had made unscheduled stock sales totaling over $1.8 million before news of the Equifax breach was made public; in November, the Equifax board declared those sales were not made on the basis of insider trading.
Concerns about how security incidents can affect stock prices go back further, according to Casey Ellis, CTO and founder of Bugcrowd, based in San Francisco, who said he suspected the issue dates back to the attempt to profit from news about a vulnerability in cardiac devices that was expected to affect St. Jude Medical's shares in 2016.
"The challenge is no longer whether there's an advantage to be gained by trading with this knowledge, but rather what the rules should be to avoid this possibility in the first place. There's also a fascinating parallel between this thread and the work being done by the Senate around mandatory breach disclosure," Ellis said. "They both involve broad disclosure to protect the consumer, but the Senate is focused on protection of the average user's data, while the SEC is thinking about protection of the average person from insider trading."
Experts weigh in on SEC cybersecurity disclosure rules
Chris WysopalCTO at Veracode
The SEC now recommends that companies publicly disclose cybersecurity incidents, as well as cybersecurity risks, and recommends that ongoing investigations -- whether conducted internally or by law enforcement -- do not provide a basis for delaying or preventing disclosure. At the same time, the new guidance does not require companies to disclose details of their cybersecurity defense or vulnerabilities that might put them at risk.
Michael Daniel, president of the Cyber Threat Alliance, a nonprofit cyberthreat-sharing organization based in Arlington, Va., called the SEC's interpretative release "a step in the right direction," and he added that "an adverse cyberincident can materially damage a company's long-term prospects. So, it makes sense to prohibit executives from trading on insider knowledge about cybersecurity risks that, if they were broadly known, would affect a company's stock price."
Ellis praised the updated SEC cybersecurity disclosure rules, though he noted there's still a long way to go. "I don't see consensus on this being settled anytime soon -- it's a complicated equation with lots of factors and conflicting motivations -- but there's a push in this direction that can only do good things to cybersecurity awareness and proactivity across the board," Ellis said.
"The guidance for insiders to not trade when they have knowledge of a breach is a good one. We have seen stock prices dip, for weeks and sometimes longer, following a breach. Nonpublic breach information is clearly material for insider trading," said Chris Wysopal, CTO at Veracode, based in Burlington, Mass. "Investors should know about breaches in a timely way. Delaying disclosure while investigations are underway just serves to delay the inevitable. General information about the breach should be disclosed as soon as it's discovered while investigations continue."