Blogs

In this memo: "Equifax Insider Trading Charges Highlight Importance of Tailored Policies and Controls," Manett recaps the recent Equifax insider trading enforcement action (reported on here) in the context of the SEC's updated cybersecurity guidance to identify these and other key takeaways for companies seeking to comply with the guidance and mitigate the potential for insider trading on the basis of potentially material nonpublic cyber breach information:

• Consider expanding the scope of those covered by your trading blackout periods to include personnel who may learn of material nonpublic information indirectly. The memo elaborates: "In particular, high-level executives, such as the defendant in the Commission's complaint, who will play a key role in remediating any cyber incident, should likely be subject to trading blackout periods as a result of the sensitive information to which they will be exposed."
• Likewise, consider expanding the scope of those required to pre-clear their trades. As applied to Equifax, Manett notes: "The defendant, for example, does not appear to have been subject to pre-clearance despite his seniority and the fact that he worked closely with personnel who had knowledge of the data breach. As such, he was able to freely dispose of his stock, and Equifax did not become aware of his trading activities until several weeks thereafter."
• Ensure cyber-related matters are expressly included in your insider trading policy as among the types of information that may be material, and thus, which may preclude trading in company stock.

On the disclosure front, Manett suggests that companies may need to engage technical experts to assist them in tweaking or developing their cybersecurity-related disclosure controls & procedures (to facilitate timely reporting up of potentially disclosable information) to ensure they are appropriately tailored to the company's risk profile.