Regulator Set to Revise 6-Year-Old Cybersecurity Rules
All publicly traded companies in the United States need to review how they internally disseminate information about potential breaches and when senior managers get informed about suspected intrusions, as well as ensure that correct controls and practices are in place for preventing insider trading. In addition, these companies should expect to see revised guidance about what they need to tell investors – and when – after they suffer a suspected intrusion.
See Also: How to Scale Your Vendor Risk Management Program
Those takeaways come from comments delivered by William Hinman, the U.S. Securities and Exchange Commission’s new director of corporation finance, speaking this week at a New York legal conference.
Speaking in the wake of the Equifax breach, Hinman says the SEC is planning to update its 6-year-old cybersecurity guidance for how publicly traded firms report data breaches to investors.
“Current guidance is in pretty good shape,” he said of the SEC’s cybersecurity policies, adding that the agency will “touch a couple of things that will be new,” including how breach information gets disclosed internally and escalated to senior management, the Wall Street Journal first reported.
He did not give a timeline for when the changes might occur. The SEC did not immediately respond to a request for comment.
But SEC chair Jay Clayton told a Senate banking committee in September that he wants to see more companies disclosing more cybersecurity information to investors more quickly (see SEC Chair Wants More Cyber Risk Disclosure From Public Firms).
“As I look across the landscape of disclosure, companies should be providing better disclosure about their risk profile,” Clayton told the Senate Banking Committee. “Companies should be providing sooner disclosure about intrusions if it may affect shareholder disclosure decisions.”
The SEC’s cybersecurity guidance doesn’t have the force of law, but the regulator can bring enforcement actions against any publicly traded U.S. business that it believes may have misled investors about its cybersecurity practices or a data breach (see SEC Reportedly Probing Yahoo’s Breach Notification Speed).
Insider Trading Concerns
At the same time, Clayton has promised to streamline the SEC’s current regulations and help drive more initial public offerings, which some analysts believe have declined because of excessive regulations.
On that front, Clayton recruited Hinman, a veteran initial public offering attorney and the first SEC director in years to hail from Silicon Valley rather than Boston, New York or Washington.
Hinman, who’s worked on IPOs and other transactions with the likes of Apple founder Steve Jobs, Google founders Larry Page and Sergey Brin and Facebook CEO Mark Zuckerberg, will review the regulations facing companies that want to go public. Such regulations mounted following the 2000s Enron accounting scandal and the 2008 financial crisis, which led to the 2010 Dodd-Frank overhaul.
Already, however, Hinman has called on companies to examine their post-breach insider trading policies. And he says he plans to address this issue at the SEC as well. “I think this issue is important enough, wide-ranging enough that we should tackle it at the commission level,” Hinman told the New York conference, the Wall Street Journal reports. In parallel, he said that “it would be wise for folks to examine their insider trader policies.”
SEC’s Belated Breach Notification
His comments follow ill-timed trades by four senior executives at Equifax (see Equifax: Share-Selling Executives Didn’t Know About Breach). While the data broker says an investigation by its board has exonerated the executives, it is continuing to probe the actions of John Gamble, the company’s chief legal officer, whose office approved the executives’ stock sales, the Wall Street Journal reports. Gamble also formerly had oversight of the company’s information security operations.
Equifax isn’t the only organization to have recently reported suffering a massive breach. Embarrassingly for the chief agency charged with regulating publicly traded U.S. companies, the SEC also suffered a massive breach in 2016. The agency has faced criticism for only coming clean about the breach of its EDGAR electronic filing system for corporate data in September.
The Wall Street Journal reports that Hinman did not specifically address either the Equifax or SEC breaches by name in this comments this week.
Clayton, who took office in May, said he only learned of the SEC’s 2016 breach in August. “In response to this information, I immediately commenced an internal review,” Clayton told the Senate Banking Committee in September.
He said that rogue traders may have used stolen SEC EDGAR system information for personal gain.