SEC: Corporate Data Breach Disclosure, Reporting Rules May Change
Expect the U.S. Securities and Exchange Commission (SEC) to rework requirements for publicly-held companies to disclose cyber security attacks to investors, covering how attack information is disseminated internally and escalated to senior management.
William Hinman, the SEC’s director of corporate finance, told attendees at a legal conference in New York that even though the existing six-year old reporting framework is in “pretty good shape,” it needs some refining, the Wall Street Journal (WSJ) first reported.
Modifications will also include policies to prevent insider trading, as might have occurred with the massive Equifax breach earlier this year that hit some 145 million people.
“I think this issue is important enough, wide-ranging enough that we should tackle it at the commission level,” Hinman reportedly said. The SEC executive didn’t offer a target date for the rewrite. Two months ago, SEC chairman Jay Clayton hinted reporting rules tweaks were coming when he disclosed the agency had been victimized in 2016 by a cyber attack on its EDGAR public company filing system.
Although the SEC can hit back on businesses it believes may have misled investors on data breaches, this update is a minor event for MSSPs. But to the extent that they will put more onus on corporations to dutifully attend to the fallout from security breaches it might bring MSSPs more consulting opportunities.
In aligned remarks before the Senate Banking Committee, Clayton said “companies should be disclosing more … [and] there should be better disclosure about their risk portfolios, and there should be sooner disclosures about intrusions…When [companies] have notice of a cyber breach we expect people to constantly assess whether that breach is material to investors, and when they determine that it is, make appropriate disclosure promptly.” (via Bankinfo Security)
At this point, exactly what type of information the SEC wants companies to reveal in a breach’s wake is unclear. As a case in point, earlier this month, an Equifax committee exonerated three top company executives of alleged insider trading for dumping nearly $1.8 million in stock a month before the credit rater revealed the cyber attack. (via CNBC) None of the executives in question knew about the breach ahead of selling their stock, the committee concluded. However, Equifax chief legal officer John Gamble, who approved the stock sales, is still on the committee’s hook, the WSJ reported.
No matter the Equifax committee’s conclusions, theirs isn’t final and definitive. There remains the Department of Justice’s and the SEC’s ongoing investigations of the Equifax hack.