The U.S. Securities and Exchange Commission on Wednesday updated guidance to public companies on how and when they should disclose cybersecurity risks and breaches, including potential weaknesses that have not yet been targeted by hackers.
The guidance also said company executives must not trade in a firm’s securities while possessing nonpublic information on cybersecurity attacks. The SEC encouraged companies to consider adopting specific policies restricting executive trading in shares while a hack is being investigated and before it is disclosed.
The SEC, in unanimously approving the additional guidance, said it would promote “clearer and more robust disclosure” by companies facing cybersecurity issues, according to SEC Chairman Jay Clayton, a Republican.
Democrats on the commission reluctantly supported the guidance, describing it as a paltry step taken in the wake of a raft of high-profile hacks at major companies that exposed millions of Americans’ personal information. They called for much more rigorous rule-making to police disclosure around cybersecurity issues, or requiring certain cybersecurity policies at public companies.
Commissioner Robert Jackson said the new document “essentially reiterates years-old staff-level views on this issue,” and pointed to analysis from the White House Council of Economic Advisers that finds companies frequently under-report cybersecurity events to investors.
The SEC first issued guidance in 2011 on cybersecurity disclosures.
“It may provide investors a false sense of comfort that we, at the Commission, have done something more than we have,” Commissioner Kara Stein, another Democrat, said in a statement. Significant breaches have included those at Equifax Inc. consumer credit reporting agency, and at the SEC itself.
The agency announced in September its corporate filing system, known as EDGAR, was breached by hackers in 2016 and may have been used for insider trading. The matter is under review.
The new guidance will mean that corporations disclose more information about cyberattacks and risks and take steps to ensure no insider trading can occur around those events, said several attorneys who advise businesses on the subject.
“This essentially creates a mandatory new disclosure category — cybersecurity risks and incidents,” said Spencer Feldman, an attorney with Olshan Frome Wolosky LLP.
Craig A. Newman, a partner with Patterson Belknap Webb & Tyler LLP, said the SEC guidance “makes clear that it doesn’t want a repeat of the Equifax situation.”