Accessibility links

Breaking News
USA

US Companies Urged to Issue 'Clearer' Cyber Risk Disclosures


FILE - Securities and Exchange Commission Chairman Jay Clayton testifies before the Senate Banking Committee on Capitol Hill in Washington, Sept. 26, 2017.
FILE - Securities and Exchange Commission Chairman Jay Clayton testifies before the Senate Banking Committee on Capitol Hill in Washington, Sept. 26, 2017.

The U.S. Securities and Exchange Commission on Wednesday updated guidance to public companies on how and when they should disclose cybersecurity risks and breaches, including potential weaknesses that have not yet been targeted by hackers.

The guidance also said company executives must not trade in a firm's securities while possessing nonpublic information on cybersecurity attacks. The SEC encouraged companies to consider adopting specific policies restricting executive trading in shares while a hack is being investigated and before it is disclosed.

The SEC, in unanimously approving the additional guidance, said it would promote "clearer and more robust disclosure" by companies facing cybersecurity issues, according to SEC Chairman Jay Clayton, a Republican.

Democrats on the commission reluctantly supported the guidance, describing it as a paltry step taken in the wake of a raft of high-profile hacks at major companies that exposed millions of Americans' personal information. They called for much more rigorous rule-making to police disclosure around cybersecurity issues, or requiring certain cybersecurity policies at public companies.

Commissioner Robert Jackson said the new document "essentially reiterates years-old staff-level views on this issue," and pointed to analysis from the White House Council of Economic Advisers that finds companies frequently under-report cybersecurity events to investors.

U.S. Securities and Exchange Commission building, Aug. 5, 2017, in Washington.
U.S. Securities and Exchange Commission building, Aug. 5, 2017, in Washington.

The SEC first issued guidance in 2011 on cybersecurity disclosures.

"It may provide investors a false sense of comfort that we, at the Commission, have done something more than we have," Commissioner Kara Stein, another Democrat, said in a statement. Significant breaches have included those at Equifax Inc. consumer credit reporting agency, and at the SEC itself.

The Equifax logo and trading information are displayed on the floor of the New York Stock Exchange in New York, Sept. 8, 2017.
The Equifax logo and trading information are displayed on the floor of the New York Stock Exchange in New York, Sept. 8, 2017.

The agency announced in September its corporate filing system, known as EDGAR, was breached by hackers in 2016 and may have been used for insider trading. The matter is under review.

The new guidance will mean that corporations disclose more information about cyberattacks and risks and take steps to ensure no insider trading can occur around those events, said several attorneys who advise businesses on the subject.

"This essentially creates a mandatory new disclosure category — cybersecurity risks and incidents," said Spencer Feldman, an attorney with Olshan Frome Wolosky LLP.

Craig A. Newman, a partner with Patterson Belknap Webb & Tyler LLP, said the SEC guidance "makes clear that it doesn't want a repeat of the Equifax situation."

  • 16x9 Image

    Reuters

    Reuters is a news agency founded in 1851 and owned by the Thomson Reuters Corporation based in Toronto, Canada. One of the world's largest wire services, it provides financial news as well as international coverage in over 16 languages to more than 1000 newspapers and 750 broadcasters around the globe.

XS
SM
MD
LG