In 2011, the SEC published a set of recommendations relating to the disclosure of an organization’s cybersecurity risks and cyber incidents. In this document the SEC stated, “registrants should review, on an ongoing basis, the adequacy of their disclosure relating to cybersecurity risks and cyber incidents” and went on to describe existing disclosure obligations such as risk factors, description of business, and financial statement disclosures where cyber risks and incidents would often need to be discussed.
With the release of a new set of recommendations in February 2018, the Commission has once again highlighted the need to address issues related to cybersecurity in the securities and exchange industry. The guidelines have evolved from their 2011 roots to better address the issues facing companies and investors in an age of severe and costly cybersecurity threats. Perhaps the most notable difference in the new guidelines lies in disclosing previous or ongoing cyber incidents in order to give proper context to new risks that must be disclosed. This has a wide range of implication for organizations looking to follow these responsible disclosure guidelines. The example given in the guidelines is a company that wishes to disclose the risk of a DoS attack against them. In order to do this under these guidelines, they may also need to disclose the occurrence of a DoS incident in the past to better frame a discussion around their risks. Beyond DoS, this could require companies to disclose past incidents relating to other areas of cyber security such as phishing, ransomware or injection attacks that have impacted themselves, vendors, clients or even competitors to properly communicate their risk factors to investors.
Another area of note from these new guidelines is the issue of insider trading with regards to undisclosed knowledge of cyber security incidents. As noted by the SEC Exchange Act, it is illegal to trade a security “on the basis of material nonpublic information about that security or issuer” and trading with the knowledge of an undisclosed cybersecurity incident would certainly violate this rule. In cases where undisclosed cybersecurity incidents are being assessed by companies, the SEC recommends having well defined policies and procedures to prevent those with knowledge of the incident from breaking any insider trading rules. This could include implementing specific restrictions on accounts during such an investigation. While this is nothing revolutionary, it is a step in the right direction by the SEC to bring awareness to this problem. This is especially relevant given fresh cases such as Equifax where $1.8 million of stock was sold just days after the company had learned of their 2017 breach.
Overall, however, these recommendations do serve to raise awareness around cybersecurity and its impact on companies and investors. There is certainly room for improvement in the recommendations however. Perhaps in future iterations of these recommendations, the SEC could look to add enforcement power as seen in many new regulations such as GDPR. Nevertheless, as cybersecurity incidents and responses become more prevalent and costly for companies and investors, it is good to see the SEC beginning to take steps toward addressing the very real threat that malicious cyber actors can have on the economy.
Are you doing enough to secure your organization? Get your free security assessment to better understand your organization’s current security posture and help identify security gaps and risks. By identifying potential areas for improvement, your organization will be better prepared to enhance its security posture, minimize risk and avoid becoming a headline.