Search the Site

SEC Makes Belated Call for Cyber-risk Disclosures

SEC Makes Belated Call for Cyber-risk Disclosures

In the history of computing, the year 2011 was a different era entirely. The Facebook “Wall” was still a thing (as was Google Buzz), IBM’s Watson made an appearance on Jeopardy!, and Samsung had just released its first Galaxy Note phone. A lot has happened in the seven years since, including, unfortunately, a dramatic rise in corporate data breaches. Nonetheless, until recently, 2011 was the last time the SEC spoke to the obligations of public companies in connection with cyberattacks.

That changed last week, when the Commission broke its years-long silence and issued guidance (in the form of an “interpretive release”) expanding on its 2011 statement and urging public companies to be more transparent about cybersecurity risks. The guidance directs companies to diagnose their cybersecurity risks and to inform investors about them, even before a breach event occurs. The SEC also asked companies to adopt policies that would prevent insiders from trading in company shares in the period between the discovery of a data breach and the disclosure of that breach to the public.

SEC Chair Jay Clayton said the agency’s action would promote “clearer and more robust disclosure.” He styled the guidance as a “help us help you” situation, noting that public companies have a lot of goodwill to lose in data breaches. They should be worried about their legal obligations to disclose, he said, but equally concerned with “reputational considerations around sales of securities by executives.”

It’s hard to imagine he wasn’t thinking of the massive breach last year that struck Equifax, which eventually disclosed that executives had sold off large amounts of stock in the extended interim period before the company went public about the attack.

While the SEC guidance was generally received as a positive step, it failed to go far enough for everyone. Democratic SEC Commissioner Robert Jackson said in a statement that “The guidance essentially reiterates years-old staff-level view on this issue. But economists of all stripes agree that much more needs to be done.” The commission’s other Democrat, Kara Stein, said: “Unfortunately, I am disappointed with the Commission’s limited action.”

The audience that may have been the most pleased with the guidance was the nation’s trial lawyers. As Security Intelligence put it, “the SEC guidance made it clear that if investors are kept in the dark about security incidents,” they should “expect class action suits.”

Related Articles

Are You Ready for Clayton’s Take on Disclosure Effectiveness?

President Trump’s administration hasn’t taken up many of the causes championed by the previous occupant of the White House. In fact, the current c...

Governance Advocates Looking to Close GAAP in CEO Pay Calculations

A company underperforms. Its stock price tanks. The CEO collects a big payday. It’s far from a unique story in Corporate America. Some stakeholde...

Wall Street Still Charmed by Musk

As preoccupied as Elon Musk can get with his petty feuds and outlandish side projects (spoiler alert: very), his antics haven’t stopped Tesla Inc. f...