SEC moves to quash insider trading on cyber breach news

The Securities and Exchange Commission released new guidance on Feb. 21 that provides additional details for how publicly traded companies should be handling data breach disclosures.

SEC Chairman Jay Clayton warned that as companies become increasingly reliant on technology and internet connectivity to store, process and share their sensitive data, the threat of hacking and data breaches will only get worse.

"I believe that providing the commission's views on these matters will promote clearer and more robust disclosure by companies about cybersecurity risks and incidents, resulting in more complete information being available to investors," said Clayton. 

The guidance addresses two issues related to the recent wave of data breaches: company obligations for putting in place timely and effective breach disclosure policies, and executives who sell company shares after learning about a hack but before informing investors and the public.

"In particular, I urge public companies to examine their controls and procedures, with not only their securities law disclosure obligations in mind, but also reputational considerations around sales of securities by executives," said Clayton.

In 2017, credit firm Equifax drew widespread outrage from the public, consumer watchdogs and Congress after it was revealed that just days before the company announced a data breach that compromised the personal information of at least 145 million Americans, three senior executives sold a combined $1.8 million in company stock. Intel CEO Brian Krzanich sold as much as $24 million in company stock in November 2017, months after the firm learned about the Meltdown and Spectre bugs inherent in their processing chips and well in advance of the public disclosure.

The guidance makes clear that the SEC views this as questionable activity and that companies that engage in such behavior risk reputational harm and increased scrutiny from regulators.

"[D]irectors, officers, and other corporate insiders must not trade a public company's securities while in possession of material nonpublic information, which may include knowledge regarding a significant cybersecurity incident experienced by the company," the new guidance states.

The SEC also makes it clear that it is the responsibility of publicly traded companies to put policies and procedures in place to facilitate timely and effective disclosure of data breaches.