The U.S. Securities and Exchange Commission has signaled that it expects to issue updated guidelines on reporting cybersecurity incidents.
“I think this issue is important enough, wide-ranging enough that we should tackle it at the commission level,” said William H. Hinman, the SEC’s new director of the Division of Corporate Finance. Hinman’s remarks were made last week during a speech in New York and reported by the Wall Street Journal.
Hinman hinted that the guidelines would “touch a couple of things that will be new,” such as disclosure controls and escalation procedures after a cybersecurity incident. “When an event happens,” he said, it should be “looked at by the right levels of management with an eye toward how … [it] impacts the business.”
He also noted that safeguards against insider trading violations might also be addressed in the forthcoming guidance. “[I]t would be wise for folks to examine their insider trading policies” in connection with a systems breach.”
No time frame was given for the updated guidelines.
As a reminder, the SEC issued its “guidance” more than six years ago on when to disclose an incident to investors. But the SEC’s guidance is just that. It is not a rule or regulation, nor is it mandatory.
Since the guidance was issued, we’re seen a dramatic spike in the number and severity of data security incidents including the massive Equifax breach (145.5 million U.S. consumers affected), Yahoo (3 million user accounts hacked) and even the SEC itself (database with nonpublic information compromised).
In a New York Times’ DealBook essay, I wrote about the competing demands that public companies face when confronting data breach disclosure. To avoid tipping off the bad guys to a law enforcement investigation, companies are often encouraged to keep confidential the fact that they’ve been hacked. But executives and corporate boards also have a duty to the public markets and investors to provide prompt information about material risks to their businesses.
When a company does not disclose to the public that such an attack had occurred – even if the nondisclosure stemmed from the insistence of law enforcement – investors in that company might be deprived of material information. And even when a victimized company discloses an attack, it would be difficult for management to cooperate with law enforcement while facing the ire of investors.
In many cases, this tension between the demand for discreet cooperation and the obligation to inform investors and the markets has created an untenable and dangerous dilemma for companies. Securities laws do not say, one way or another, when an intrusion requires disclosure.
But if the SEC steps forward with updated guidance, perhaps it will bring clarity to the competing demands faced by public companies of law enforcement cooperation and public disclosure.