SEC moves to quash insider trading on cyber breach news

shutterstock image id ID: 186823331 by DD Images 

The Securities and Exchange Commission released new guidance on Feb. 21 that provides additional details for how publicly traded companies should be handling data breach disclosures.

SEC Chairman Jay Clayton warned that as companies become increasingly reliant on technology and internet connectivity to store, process and share their sensitive data, the threat of hacking and data breaches will only get worse.

"I believe that providing the commission's views on these matters will promote clearer and more robust disclosure by companies about cybersecurity risks and incidents, resulting in more complete information being available to investors," said Clayton. 

The guidance addresses two issues related to the recent wave of data breaches: company obligations for putting in place timely and effective breach disclosure policies, and executives who sell company shares after learning about a hack but before informing investors and the public.

"In particular, I urge public companies to examine their controls and procedures, with not only their securities law disclosure obligations in mind, but also reputational considerations around sales of securities by executives," said Clayton.

In 2017, credit firm Equifax drew widespread outrage from the public, consumer watchdogs and Congress after it was revealed that just days before the company announced a data breach that compromised the personal information of at least 145 million Americans, three senior executives sold a combined $1.8 million in company stock. Intel CEO Brian Krzanich sold as much as $24 million in company stock in November 2017, months after the firm learned about the Meltdown and Spectre bugs inherent in their processing chips and well in advance of the public disclosure.

The guidance makes clear that the SEC views this as questionable activity and that companies that engage in such behavior risk reputational harm and increased scrutiny from regulators.

"[D]irectors, officers, and other corporate insiders must not trade a public company's securities while in possession of material nonpublic information, which may include knowledge regarding a significant cybersecurity incident experienced by the company," the new guidance states.

The SEC also makes it clear that it is the responsibility of publicly traded companies to put policies and procedures in place to facilitate timely and effective disclosure of data breaches.

About the Author

Derek B. Johnson is a senior staff writer at FCW, covering governmentwide IT policy, cybersecurity and a range of other federal technology issues.

Prior to joining FCW, Johnson was a freelance technology journalist. His work has appeared in The Washington Post, GoodCall News, Foreign Policy Journal, Washington Technology, Elevation DC, Connection Newspapers and The Maryland Gazette.

Johnson has a Bachelor's degree in journalism from Hofstra University and a Master's degree in public policy from George Mason University. He can be contacted at, or follow him on Twitter @derekdoestech.

Click here for previous articles by Johnson.


  • Defense
    Ryan D. McCarthy being sworn in as Army Secretary Oct. 10, 2019. (Photo credit: Sgt. Dana Clarke/U.S. Army)

    Army wants to spend nearly $1B on cloud, data by 2025

    Army Secretary Ryan McCarthy said lack of funding or a potential delay in the JEDI cloud bid "strikes to the heart of our concern."

  • Congress
    Rep. Jim Langevin (D-R.I.) at the Hack the Capitol conference Sept. 20, 2018

    Jim Langevin's view from the Hill

    As chairman of of the Intelligence and Emerging Threats and Capabilities subcommittee of the House Armed Services Committe and a member of the House Homeland Security Committee, Rhode Island Democrat Jim Langevin is one of the most influential voices on cybersecurity in Congress.

Stay Connected


Sign up for our newsletter.

I agree to this site's Privacy Policy.