In a push for increased cybersecurity vigilance, the Securities and Exchange Commission indicated its plans to amend existing data security guidance, including the reporting of data breaches.
Speaking at a Practising Law Institute event in New York City, SEC Director of Corporation Finance William Hinman urged publicly traded companies to review their practices with regard to cybersecurity. More specifically, he suggested consideration of how a company internally disseminates information about potential breaches, the point at which senior managers get informed about suspected intrusions, and how companies report data breaches to their investors.
These issues are top of mind for the agency, Hinman said, and will likely be the subject of tweaks to the SEC’s data security guidance. “Current guidance is in pretty good shape,” he told attendees. But the agency will “touch [on] a couple of things that will be new” to the six-year-old guidance, such as how breach information gets disclosed internally and escalated to senior management.
“I think this issue is important enough, wide-ranging enough that we should tackle it at the Commission level,” he added.
Also on the radar: ensuring that appropriate controls and practices are in place for preventing insider trading. “It would be wise for folks to re-examine their insider trading policies,” Hinman noted. Although he didn’t explicitly reference the incident, the topic was likely spurred by the recent Equifax data breach, where reports have claimed that three company executives sold nearly $2 million worth of shares in Equifax after they learned about the breach but before it was announced to the public.
While Hinman did not discuss a time frame for when the SEC might make the changes, his remarks echoed a similar sentiment shared by SEC Chair Jay Clayton when testifying before the Senate Banking Committee earlier this year. Clayton told legislators that companies need to disclose more cybersecurity information to their investors, and in the event of a breach, do it more quickly.
“As I look across the landscape of disclosure, companies should be providing better disclosure about their risk profile,” Clayton said. “Companies should be providing sooner disclosure about intrusions if it may affect shareholder disclosure decisions.”
The SEC has increasingly focused on cybersecurity issues, including the creation in September of a new Cyber Unit to focus on misconduct involving hacking and threats to trading platforms, the spread of false information through electronic and social media, and misconduct involving distributed ledger technology.
Why it matters
The SEC’s current cybersecurity guidance was released in October 2011, a lifetime in the digital world and before the recent record-setting breaches such as that at Equifax. At the time, the agency did not mandate that public companies report every data breach to investors but instead discussed how a major attack could impact a company’s business, which would in turn necessitate the need for disclosure to investors. Based on the comments from current SEC leadership, it appears the agency could take a stronger line on disclosures as well as on enforcing insider trading restrictions in the context of an undisclosed data breach. Public companies should also closely evaluate any data breaches (or threats of data breaches) when drafting their periodic reports for the SEC.