WASHINGTON (Reuters) - The U.S. Securities and Exchange Commission on Wednesday updated guidance to public companies on how and when they should disclose cyber security risks and breaches, including potential weaknesses that have not yet been targeted by hackers.
The guidance also said company executives must not trade in a firm’s securities while possessing nonpublic information on cyber security attacks. The SEC encouraged companies to consider adopting specific policies restricting executive trading in shares while a hack is being investigated and before it is disclosed.
The SEC, in unanimously approving the additional guidance, said it would promote “clearer and more robust disclosure” by companies facing cyber security issues, according to SEC Chairman Jay Clayton, a Republican.
Democrats on the commission reluctantly supported the guidance, describing it as a paltry step taken in the wake of a raft of high-profile hacks at major companies that exposed millions of Americans’ personal information. They called for much more rigorous rulemaking to police disclosure around cyber security issues, or requiring certain cyber security policies at public companies.
Commissioner Robert Jackson said the new document “essentially reiterates years-old staff-level views on this issue,” and pointed to analysis from the White House Council of Economic Advisers that finds companies frequently under-report cyber security events to investors.
“It may provide investors a false sense of comfort that we, at the Commission, have done something more than we have,” Commissioner Kara Stein, another Democrat, said in a statement.
The SEC first issued guidance on cyber disclosures in 2011.
There has since been a surge in breaches, including one at the SEC itself.
The agency announced in September its EDGAR corporate filing system hacked 2016 and may have been used for insider trading. The matter is under review.
The new guidance will mean an increase in information disclosed on cyber attacks and risks, several attorneys said.
“This essentially creates a mandatory new disclosure category - cyber security risks and incidents,” said Spencer Feldman, an attorney with Olshan Frome Wolosky LLP.
The guidance addresses concerns about insider trading that emerged last year after Equifax Inc (EFX.N) credit monitoring firm revealed several executives had sold shares in the days between the company’s discovery of a breach and its disclosure. An Equifax board review found no wrongdoing. Craig A. Newman, a partner with Patterson Belknap Webb & Tyler LLP said the SEC guidance “makes clear that it doesn’t want a repeat of the Equifax situation.”
Reporting by Pete Schroeder and Jim Finkle; Editing by Grant McCool