The U.S. Securities and Exchange Commission has released revised cybersecurity guidance for publicly traded companies.
The guidance, approved unanimously by the commission on Tuesday, is meant "to assist public companies in preparing disclosures about cybersecurity risks and incidents," the SEC says.
"I believe that providing the commission's views on these matters will promote clearer and more robust disclosure by companies about cybersecurity risks and incidents, resulting in more complete information being available to investors," SEC Chairman Jay Clayton says in a statement. "In particular, I urge public companies to examine their controls and procedures, with not only their securities law disclosure obligations in mind, but also reputational considerations around sales of securities by executives."
The new guidance sends a clear message to corporate executives that they must take responsibility for cybersecurity.
"This guidance serves as loud wake-up call for all boards of directors to determine who among them is a cybersecurity and risk expert, what role the board is playing in governing cybersecurity risks, and how exactly the board is managing these risks and responding to incidents," Chris Pierson, CEO of Binary Sun Cyber Risk Advisors, a cybersecurity consultancy, tells Information Security Media Group.
"Specifically, the guidance calls for companies to include a description of how the board administers its risk oversight function for cybersecurity and how the board engages with management on cybersecurity issues," he adds. "Just like with Sarbanes-Oxley, the SEC is telling the board to figure out how they will govern and oversee all risks, but most especially cybersecurity risks and incidents."
Updates 2011 Guidance
The new guidance builds on the SEC's 2011 cybersecurity guidance, which said businesses might be required to disclose information security risks and incidents to investors. But the SEC said that "in light of the increasing significance of cybersecurity incidents," additional guidance had become necessary.
Of course, a lot has changed since 2011. Watersheds include the breach of retailer Target in 2013 and the ongoing data breach epidemic, the rise of ransomware schemes, increasingly destructive malware attacks such as NotPetya, as well as last year's ill-timed share sales by senior executives at Equifax after the company discovered a massive breach, but before it disclosed the breach to investors. The SEC has already also reportedly investigated companies such as Yahoo for failing to disclose breaches to investors in a timely manner.
Last September, Clayton signaled that the new guidance was on the way. "I am not comfortable that the American investing public understands the substantial risks that we face systemically from cyber issues," Clayton said during a September 2017 panel discussion. "I'd like to see better disclosure around that."
Last November, William Hinman, the SEC's director of corporation finance, echoed his boss's remarks, noting that while "current [cybersecurity] guidance is in pretty good shape," he said the regulator wanted to see companies provide "better disclosure about their risk profile."
The SEC's refined cybersecurity guidance includes many changes that securities litigation and enforcement experts had expected, including requiring businesses to disclose more cyber risks and to refine their insider trading policies and for boards of directors and senior executives to prove that they're taking information security seriously (see SEC Plans Cybersecurity Guidance Refresh: What to Expect).
Pierson says the new guidance focuses on a number of areas. "First, it reinforces that all companies must inform investors in a timely fashion of all material cybersecurity risks and incidents and update prior disclosures when facts change," he says.
"Second, in the wake of suspicious trading in the Equifax breach," he says the regulator is also "reinforcing the importance of policies and procedures around insider trading for cybersecurity incidents." And finally, the new guidance tells companies that they "should continually review risk factors, policies, procedures, and issue non-generic risk language to investors in disclosures."
Where data breaches in particular are concerned, Pierson says the SEC "acknowledges that facts change and investigations take time." But when facts do change, he says the regulator has made it clear that it expects to see timely updates - at least quarterly, when required - from businesses.
The new prohibition on trading in corporate shares after a breach has been discovered applies to both directors and officers. "Where a company has become aware of a cybersecurity incident or risk that would be material to its investors, we would expect it to make appropriate disclosure timely and sufficiently prior to the offer and sale of securities and to take steps to prevent directors and officers (and other corporate insiders who were aware of these matters) from trading its securities until investors have been appropriately informed about the incident or risk," the new guidance reads.
Expect More Guidance in Future
Expect the SEC to continue refining its cybersecurity guidance.
"There is no doubt that the cybersecurity landscape and the risks associated with it continue to evolve," SEC Chairman Clayton says. "I have asked the division of corporation finance to continue to carefully monitor cybersecurity disclosures as part of their selective filing reviews. We will continue to evaluate developments in this area and consider feedback about whether any further guidance or rules are needed."