Corp Fin Signals Forthcoming Updated Cyber Disclosure Guidance & Also Suggests Companies Review Insider Trading Policies

By Randi Morrison posted 11-10-2017 08:52 AM

Recommend

This news is hot off the WSJ press:

SEC Says Companies Can Expect New Guidelines on Reporting Cybersecurity Breaches

A senior Securities and Exchange Commission regulator said Thursday that public companies will soon face new guidelines for how they report cybersecurity breaches to investors.

The agency will probably update directions that it gave to companies over six years ago, before the spate of high-profile breaches, including at the SEC itself and Equifax , EFX 1.63% Inc., the credit-reporting firm with access to sensitive financial details for millions of consumers.

Among the issues that the commission should tackle are updating guidance on describing the level of cyberintrusion that demands a public disclosure, in the face of the numerous attacks against companies, said William Hinman, the SEC’s recently installed director of corporation finance.

Mr. Hinman also advised companies to examine their own policies for insider trading following a cyberbreach.

“I think this issue is important enough, wide-ranging enough that we should tackle it at the commission level,” Mr. Hinman said. “I think it would be wise for folks to examine their insider trader policies in connection,” to a systems breach, he added.

Mr. Hinman didn’t give a specific time frame for when the commission would mull or issue the guidance. The SEC’s existing guidelines for cybersecurity risks and breaches were issued in October 2011. The agency didn’t require public companies to report every hack to investors, but described how significant attacks could affect a firm’s financial performance or different aspects of its business, which might need to be disclosed.

The guidelines don’t carry the full force of regulations. But companies cannot simply ignore the guidance, because the SEC has the authority to bring an enforcement action against a firm that misleads investors about a material cybersecurity risk or hack.

If the agency moves forward it will be implementing the new policy amid high-profile breaches. Equifax earlier this month said an internal investigation exonerated four senior executives who sold shares in the days after the discovery of suspicious activity on its systems.

Equifax has said that it discovered the suspicious activity in late July. The company was widely criticized for waiting until early September before informing the public.

The SEC itself was also under a harsh spotlight for the handling of a breach of its electronic system for storing public-company filings. Though the intrusion took place last year, the agency only informed the public in September.

The corporate-filing system that was breached, known as Edgar, is the SEC’s cornerstone system for storing and disseminating earnings announcements and other news that often moves stock prices. Edgar stands for Electronic Data Gathering, Analysis, and Retrieval System.

Mr. Hinman didn’t specifically address either breach during his comments, delivered at a legal conference in New York.

Speaking about the SEC’s current policies on cybersecurity, Mr. Hinman said “current guidance is in pretty good shape,” but the agency would “touch a couple of things that will be new.”

He said the agency would look at disclosure controls and escalation procedures after a cyberattack. He said that the new norms should assure that “when an event happens that they are looked at by the right levels of management with an eye toward how…(it) impacts the business.”

Access our numerous cyber disclosure and other guidance (including Corp Fin's current guidance) and practical resources here.

0 comments

409 views

Permalink

https://www.societycorpgov.org/blogs/randi-morrison/2017/11/10/corp-fin-signals-forthcoming-updated-cyber-disclosure-guidance

Blogs