King & Spalding's instructive "Practical Advice for Evaluating Insider Trading Compliance Programs in Light of Recent Cybersecurity Events and SEC Guidance" identifies insider trading policy best practices and suggested updates in response to the SEC's recently-updated cybersecurity disclosure guidance.
As to cyber-related updates specifically, the firm offers for consideration this broader-based text in lieu of specifically calling out "cybersecurity events" as among the types of events that may be material and thus warrant preclusion of trading in company stock:
Insider Trading Policy (sample excerpt)
Information dealing with the following subjects is reasonably likely to be found material in particular situations:
(x) "a significant disruption in the company's operations or loss, potential loss, breach or unauthorized access of its property or assets, including its facilities and information technology infrastructure." ]
Further to the SEC's guidance, the memo also advises policies include mechanisms and provisions for implementing special trading blackouts that can be imposed at any time and on any group of employees or officers.
Additional matters identified for potential updates include timing and duration of trading windows and the list of insiders subject to the windows; categorizations of employees, officers and directors subject to the various trading restrictions (e.g., pre-clearance, blackouts); pre-clearance approach and process; and social media communications and other developments. Notably, the firm expects a trend toward companies designating committees (e.g., Legal, Finance, and Compliance) rather than individuals for making trading pre-clearance determinations (which are often not black & white) to alleviate one individual bearing this responsibility.