This updated guidance addresses concerns on how and when public companies should disclose their cyber security risks and breaches.
In a development that will significant impact tech firms, the U.S. Securities and Exchange Commission has updated its guidance to public companies on how and when they should disclose cyber security risks and breaches, including known potential vulnerabilities that have yet to be targeted by hackers.
Further, the guidance stated, executives of the firm must not trade in a firm’s securities when they are in possession of nonpublic information on cyber security attacks.
The guidance encouraged firms to consider adopting specific policies which restrict executives from trading in shares before the public disclosure of vulnerabilities or when a breach is being investigated.
This updated guideline, which the SEC unanimously approved, is aimed to promoting “clearer and more robust disclosure” by firms which face cyber security issues, said SEC’s Chairman Jay Clayton.
The SEC had first issued its cyber guidance in 2011.
Since then there have been a surge in hacking attacks, including one at the SEC itself.
According to several attorneys, the new guidance will mean an increase in information disclosure by tech firms on cyber risks and attacks.
“This essentially creates a mandatory new disclosure category – cyber security risks and incidents,” said Spencer Feldman, an attorney with Olshan Frome Wolosky LLP.
This updated cyber guideline also addresses concerns on insider trading which emerged in 2017 following a breach at Equifax Inc, a credit monitoring firm, in which it was found several executives of the company had sold their shares in the company between the company’s discovery of the breach and its disclosure.
An Equifax board review found no wrongdoing.
According to Craig A. Newman, a partner with Patterson Belknap Webb & Tyler LLP, the updated SEC guidance “makes clear that it doesn’t want a repeat of the Equifax situation.”