Banking, finance, and taxes

SEC Issues New Guidance on Cybersecurity Attacks

Paul Ausick

Published: February 23, 2018 11:30 am

Last Updated: January 12, 2020 3:06 am

On Wednesday the U.S. Security and Exchange Commission (SEC) issued what it calls “interpretive guidance” for publicly traded companies, directing the firms to provide more and more timely information on cybersecurity incidents and risks.

The SEC also declared that corporate officers, directors and other insiders “must not” trade shares in their companies if that have “material nonpublic information,” including knowledge of a cybersecurity incident at the company.

While the wording might be a little vague on exactly what the SEC wants a company to disclose and how quickly it wants the information disclosed, the guidance states:

Where a company has become aware of a cybersecurity incident or risk that would be material to its investors, we would expect it to make appropriate disclosure timely and sufficiently prior to the offer and sale of securities and to take steps to prevent directors and officers (and other corporate insiders who were aware of these matters) from trading its securities until investors have been appropriately informed about the incident or risk.

The guidance seems directed at recent events surrounding a flaw that is present in every CPU chip manufactured and sold by Intel Corp. (NASDAQ: INTC). The so-called Meltdown and Spectre flaws were first discovered by Intel in June of last year. CEO Brian Krzanich filed a plan in October to sell nearly all of his stock in the company in November for a gain of around $25 million. The flaws were first publicly announced in January, and the share price fell 9% when the news hit.

Three senior executives at Equifax sold shares in the company a few days after Equifax discovered the data breach that resulted in the release of personal information on 143 million Americans. The sales occurred more than a month before Equifax publicly announced the breach.

The SEC guidance does not specify what a company must do or when, only that the company “have procedures and policies in place” to deal with insiders who could trade on material but not yet public information.

Because the guidance is a clarification of an existing rule rather than a new rule, both the Equifax and Krzanich stock sales may come under further scrutiny.