The SEC’s interpretive guidance is aimed at clarifying public companies’ obligations for disclosing cyber incidents.
The SEC’s interpretive guidance is aimed at clarifying public companies’ obligations for disclosing cyber incidents.

“Principles-based” guidance issued by the Securities and Exchange Commission (SEC) Wednesday clarifies how the commission views the disclosure responsibility of public companies that have fallen victim to a cyberattack.

“I believe that providing the Commission's views on these matters will promote clearer and more robust disclosure by companies about cybersecurity risks and incidents, resulting in more complete information being available to investors,” the SEC Chairman Jay Clayton said in a statement, noting that “in today's environment, cybersecurity is critical to the operations of” markets and companies, which “increasingly rely on and are exposed to digital technology as they conduct their business operations and engage with their customers, business partners, and other constituencies.”

Noting the “frequency, magnitude and cost of cybersecurity incidents,” the SEC said it was “critical that public companies take all required actions to inform investors about material cybersecurity risks and incidents in a timely fashion, including those companies that are subject to material cybersecurity risks but may not yet have been the target of a cyberattack.”

The guidance said disclosure controls and procedures that have a mechanism for determining the impact of a cyberattack or incident are key to a public company being able to “to make any required disclosure of cybersecurity risks and incidents in the appropriate timeframe,” stressing that “a company's directors, officers, and other persons responsible for developing and overseeing such controls and procedures are informed about the cybersecurity risks and incidents that the company has faced or is likely to face.”

The SEC also cautioned that “directors, officers, and other corporate insiders must not trade a public company's securities while in possession of material nonpublic information, which may include knowledge regarding a significant cybersecurity incident experienced by the company.”

Last year before Equifax made public that it had suffered a major breach, exposing the data of 145.5 million American consumers, a few of the credit reporting company's executives sold $1.8 million of stock. A commission appointed by the Equifax board eventually determined there was no wrongdoing but the timing of the sale raised eyebrows.

“The one good thing, and it remains to be seen how effective it is, is that company officers and insiders are no longer allowed to trade stock when they know something's about to break. It's late, but at least it's there for a change,” said Chris Roberts, chief security architect at Acalvio. “However, it's still not really got teeth as it throws it back on the companies to “consider the consequences of actions” as opposed to saying “insiders will be hung, drawn, quartered and tarred and feathered for good measure”.

The SEC's guidance calls for public companies to “have policies and procedures in place to (1) guard against directors, officers, and other corporate insiders taking advantage of the period between the company's discovery of a cybersecurity incident and public disclosure of the incident to trade on material nonpublic information about the incident, and (2) help ensure that the company makes timely disclosure of any related material nonpublic information.”

The commission said that companies should consider “the ramifications of directors, officers, and other corporate insiders trading in advance of disclosures regarding cyber incidents that prove to be material.”

The commission gave its unanimous approval to the interpretive guidance, but Commissioner Kara Stein, a Democrat appointee, questioned in a statement whether it would “actually help companies provide investors with comprehensive, particularized, and meaningful disclosure about cybersecurity risks and incidents. I fear it will not,” said Stein, who noted that she “was very supportive” when the chairman added cybersecurity to the SEC's agenda. “Unfortunately, I am disappointed with the Commission's limited action.”

That's a sentiment shared by Roberts. “Sadly, the document is so watery that even Budweiser wouldn't call it beer,” said Roberts. “Basically it's saying ‘we'd like to know if you have a risk' but we are not really asking because we don't want you to disclose because that'll be bad and give the criminals ways to break into you, but really we want to know if it's going to break Wall Street…but we don't want to know because it'll break you, but we kinda want to know if you REALLY think we need to know. So it's going round and round in circles and is, frankly, useless.”

Stein said the commission could have assessed what the staff had learned since the SEC released guidance in 2011 and built new recommendations from those findings. “After all, the staff of the Division of Corporation Finance reviews hundreds of public company filings every year,” she said. “The staff also reviews hundreds of shareholder proposals each year, many of which have been increasingly calling on companies to provide more effective cyber-related disclosure.”

Stein also believes the commission should have reviewed advances in technology used in cyberattacks over the last seven years and the impact they could have on disclosure based on company-specific risks. “We could have considered the suggestions from some of our leading commenters, including academics and practitioners,” she said, particularly considering preliminary suggestions from the Investor Advisory Committee Subcommittee and assessed “the value to investors of a company's protocols relating to “a company's protocols relating to, or efforts to minimize, cybersecurity risks and its capacity, and any measures taken, to respond to cybersecurity incidents; whether a particular cybersecurity incident is likely to occur or recur; or how a company is prioritizing cybersecurity risks, incidents, and defense.”

The commission also missed the opportunity develop more robust, meaningful guidance when it failed to discuss “the value to investors of disclosure regarding whether any member of a company's board of directors has experience, education, expertise, or familiarity with cybersecurity matters or risks,” said Stein. “And, if not, why the company believes that board-level resources are not necessary for the company to adequately manage its cybersecurity risks.”

Another Democrat appointee, Robert Jackson, called the initiative the “first step toward defeating those who would use technology to threaten our economy,” casting the guidance as a reiteration of “years-old staff-level views” on cybersecurity. “But economists of all stripes agree that much more needs to be done.”