SEC moves to quash insider trading on cyber breach news

shutterstock image id ID: 186823331 by DD Images 

The Securities and Exchange Commission released new guidance on Feb. 21 that provides additional details for how publicly traded companies should be handling data breach disclosures.

SEC Chairman Jay Clayton warned that as companies become increasingly reliant on technology and internet connectivity to store, process and share their sensitive data, the threat of hacking and data breaches will only get worse.

"I believe that providing the commission's views on these matters will promote clearer and more robust disclosure by companies about cybersecurity risks and incidents, resulting in more complete information being available to investors," said Clayton. 

The guidance addresses two issues related to the recent wave of data breaches: company obligations for putting in place timely and effective breach disclosure policies, and executives who sell company shares after learning about a hack but before informing investors and the public.

"In particular, I urge public companies to examine their controls and procedures, with not only their securities law disclosure obligations in mind, but also reputational considerations around sales of securities by executives," said Clayton.

In 2017, credit firm Equifax drew widespread outrage from the public, consumer watchdogs and Congress after it was revealed that just days before the company announced a data breach that compromised the personal information of at least 145 million Americans, three senior executives sold a combined $1.8 million in company stock. Intel CEO Brian Krzanich sold as much as $24 million in company stock in November 2017, months after the firm learned about the Meltdown and Spectre bugs inherent in their processing chips and well in advance of the public disclosure.

The guidance makes clear that the SEC views this as questionable activity and that companies that engage in such behavior risk reputational harm and increased scrutiny from regulators.

"[D]irectors, officers, and other corporate insiders must not trade a public company's securities while in possession of material nonpublic information, which may include knowledge regarding a significant cybersecurity incident experienced by the company," the new guidance states.

The SEC also makes it clear that it is the responsibility of publicly traded companies to put policies and procedures in place to facilitate timely and effective disclosure of data breaches.

About the Author

Derek B. Johnson is a senior staff writer at FCW, covering governmentwide IT policy, cybersecurity and a range of other federal technology issues.

Prior to joining FCW, Johnson was a freelance technology journalist. His work has appeared in The Washington Post, GoodCall News, Foreign Policy Journal, Washington Technology, Elevation DC, Connection Newspapers and The Maryland Gazette.

Johnson has a Bachelor's degree in journalism from Hofstra University and a Master's degree in public policy from George Mason University. He can be contacted at [email protected], or follow him on Twitter @derekdoestech.

Click here for previous articles by Johnson.


  • Elections
    voting security

    'Unprecedented' challenges to safe, secure 2020 vote

    Our election infrastructure is bending under the stress of multiple crises. Administrators say they are doing all they can to ensure it doesn't break.

  • FCW Perspectives
    zero trust network

    Can government get to zero trust?

    Today's hybrid infrastructures and highly mobile workforces need the protection zero trust security can provide. Too bad there are obstacles at almost every turn.

Stay Connected


Sign up for our newsletter.

I agree to this site's Privacy Policy.