Cybersecurity

SEC moves to quash insider trading on cyber breach news

shutterstock image id ID: 186823331 by DD Images 

The Securities and Exchange Commission released new guidance on Feb. 21 that provides additional details for how publicly traded companies should be handling data breach disclosures.

SEC Chairman Jay Clayton warned that as companies become increasingly reliant on technology and internet connectivity to store, process and share their sensitive data, the threat of hacking and data breaches will only get worse.

"I believe that providing the commission's views on these matters will promote clearer and more robust disclosure by companies about cybersecurity risks and incidents, resulting in more complete information being available to investors," said Clayton. 

The guidance addresses two issues related to the recent wave of data breaches: company obligations for putting in place timely and effective breach disclosure policies, and executives who sell company shares after learning about a hack but before informing investors and the public.

"In particular, I urge public companies to examine their controls and procedures, with not only their securities law disclosure obligations in mind, but also reputational considerations around sales of securities by executives," said Clayton.

In 2017, credit firm Equifax drew widespread outrage from the public, consumer watchdogs and Congress after it was revealed that just days before the company announced a data breach that compromised the personal information of at least 145 million Americans, three senior executives sold a combined $1.8 million in company stock. Intel CEO Brian Krzanich sold as much as $24 million in company stock in November 2017, months after the firm learned about the Meltdown and Spectre bugs inherent in their processing chips and well in advance of the public disclosure.

The guidance makes clear that the SEC views this as questionable activity and that companies that engage in such behavior risk reputational harm and increased scrutiny from regulators.

"[D]irectors, officers, and other corporate insiders must not trade a public company's securities while in possession of material nonpublic information, which may include knowledge regarding a significant cybersecurity incident experienced by the company," the new guidance states.

The SEC also makes it clear that it is the responsibility of publicly traded companies to put policies and procedures in place to facilitate timely and effective disclosure of data breaches.

About the Author

Derek B. Johnson is a former senior staff writer at FCW.

Featured

  • Defense
    Soldiers from the Old Guard test the second iteration of the Integrated Visual Augmentation System (IVAS) capability set during an exercise at Fort Belvoir, VA in Fall 2019. Photo by Courtney Bacon

    IVAS and the future of defense acquisition

    The Army’s Integrated Visual Augmentation System has been in the works for years, but the potentially multibillion deal could mark a paradigm shift in how the Defense Department buys and leverages technology.

  • Cybersecurity
    Deputy Secretary of Homeland Security Alejandro Mayorkas  (U.S. Coast Guard photo by Petty Officer 3rd Class Lora Ratliff)

    Mayorkas announces cyber 'sprints' on ransomware, ICS, workforce

    The Homeland Security secretary announced a series of focused efforts to address issues around ransomware, critical infrastructure and the agency's workforce that will all be launched in the coming weeks.

Stay Connected