SEC Plans Cybersecurity Guidance Refresh: What to ExpectBreach Notification Timing and Insider Trading Rules Among Expected Changes
The U.S. Securities and Exchange Commission is planning to update its 6-year-old cybersecurity guidance for how publicly traded firms report data breaches to investors.
The agency has indicated that it expects to refine guidance around how businesses disclose cybersecurity risks to investors as well as require insider trading programs to include blackout rules in the event that a suspected data breach gets discovered (see Report: SEC Plans Breach Reporting Guidance Refresh).
"Unfortunately, in the reality that we live in now, cyber breaches are going to be increasingly common, and this is in part why the SEC is so fully focused on cybersecurity," says Matt Rossi, a former assistant chief litigation counsel to the SEC who's now an attorney specializing in securities litigation and enforcement as well as data privacy at global law firm Mayer Brown. "Chairman [Jay] Clayton said it's one of the greatest risks to the financial system right now."
Indeed, in September, Clayton signaled to a Senate banking committee that companies would be required to disclose more cybersecurity information to investors in a timely manner (see SEC Chair Wants More Cyber Risk Disclosure From Public Firms).
His remarks, ironically, followed the SEC having failed to publicly disclose its own major breach for 16 months (see Hackers May Have Traded on Stolen SEC Data).
In November, meanwhile, William Hinman, the SEC's director of corporation finance, signaled that the regulator's cybersecurity guidance, first issued on Oct. 13, 2011, wouldn't be overhauled but rather amended with some new requirements, such as how breach information gets disclosed internally and escalated to senior management (see Report: SEC Plans Breach Reporting Guidance Refresh).
Expect Multiple Changes
With the refresh, Rossi says businesses should expect to have to disclose more cyber risks, refine their insider trading policies and prove that they're taking information security seriously.
"We're likely to see an increased emphasis on having public companies disclose the cyber risks they face, focusing on their business model, the nature of their operations and the evolving and changing nature of cyber risks," Rossi says. "I also think there's going to be an expectation by the commission that we're going to see more timely disclosure of data breaches when they do occur."
No information security practices, policies or procedures are ironclad. But Rossi says businesses will likely be called on to prove that they have mechanisms in place to increase the likelihood that they can detect breaches in a timely manner, escalate these concerns to senior management and rapidly "figure out if the breach is material to investors and needs to be disclosed in a timely basis."
Don't expect the SEC to begin immediately enforcing any new guidance. "Typically they'll issue guidance, say what they want to see and that often is a precursor to enforcement action when they don't see companies or firms living up to their guidance they issued," Rossi says.
Avoid Insider Trading
There's no one-size-fits-all approach to revamping insider trading programs to deal with suspected data breaches. But the Equifax breach and suspiciously timed trades by some of its executives have highlighted the need for organizations to more carefully monitor when employees are allowed to buy or sell shares in their companies (see Equifax: Share-Selling Executives Didn't Know About Breach).
"Given the potential severity of the events following the Equifax breach, it is likely the SEC will emphasize that the general counsel's office or another impartial body must examine trades that occur off an automatic plan and that may be in the same time period of a data breach or some other material cyber event," says Chris Pierson, CSO and general counsel for Florida-based payment services firm Viewpost. "Instead of the SEC dictating what must happen here, look for it to require written, audited and board-approved programs that detail the process to review and approve major or senior executive stock purchases and sales."
Delayed breach disclosures were a recurring theme in 2017. After search giant Yahoo failed to properly investigate a 2013 breach, it belatedly issued waves of bad news, ultimately finding that the breach had compromised every one of its accounts (see SEC Reportedly Probing Yahoo's Breach Notification Speed).
Ride-sharing platform Uber has been criticized for failing to disclose a breach for more than a year, and then its new CEO waited two months to issue a public notification of the breach after he learned about it (see Report: Uber Paid Florida 20-Year-Old $100,000 Over Hack).
Britain's privacy watchdog, the Information Commissioner's Office, has indicated that Uber's cover-up of the breach - which affected U.K. residents - would likely increase the size of any fine levied against it (see Driving Privacy Regulators Crazy: UK Probes Uber Breach).
Under the EU's General Data Protection Regulation, which begins to get enforced in May 2018, organizations that learn that they may have been breached must notify authorities within 72 hours.
Exactly how that GDPR requirement will work in practice remains to be seen, and the same would be true for any breach-notification timelines the SEC might issue (see Data Breach Notifications: What's Optimal Timing?).
"Data breach timing is an especially sensitive and misunderstood topic," Pierson says. "Most news stories, regulators, and others who have not performed data breach forensics, investigation and mitigation do not understand the intricacies of when a breach is thought to be discovered, known for sure, data identified and customers impacted."
The best approach for the SEC, Pierson says, would be to require businesses to privately notify the regulator if they detect that something is amiss and follow it up with a timely, public notification, if that proves to be true, by issuing an 8-K disclosure. That's the form used to notify investors in U.S. public companies of specified events that may be important to shareholders or the SEC.
Expect Revised Rules Soon
The SEC declined to comment on when it will issue the updated guidance, but Pierson expects to see it in the first or second quarter of 2018, once more details about the Equifax breach come to light.
Both Pierson and Rossi expect the SEC to stick with its current approach, requiring businesses to report cybersecurity events that could have a "material impact" on the business that could affect its financial performance or impact shareholders (see Verizon's Yahoo Breach Question: What's 'Material'?).
"We're unlikely to see a change in the principles-based approach - in other words, I think it's unlikely we'll see specific, detailed requirements, because companies have different risks and face different requirements," Mayer Brown's Rossi says.