By: Carolyn Crandall
The new SEC guidance builds upon the SEC’s 2011 cybersecurity guidance and is designed to assist publicly traded companies in preparing disclosures about cybersecurity risks and incidents.
What it is: Guidance for promoting clearer and more robust disclosures so that more complete information can be made available to investors. SEC Chairman Jay Clayton says in a statement, “In particular, I urge public companies to examine their controls and procedures, with not only their securities law disclosure obligations in mind, but also reputational considerations around sales of securities by executives.
What it is designed to do: This is clearly meant as a wake-up call to corporate executives and boards of directors that they must take responsibility for cybersecurity. Similar to Sarbanes-Oxley, the guidelines also call for a description on how the executive team and board will engage on cybersecurity issues. This oversight would require greater definition of how an organization will govern and respond to security risks and incidents.
Why organizations should comply: Having effective breach disclosure controls and incident response procedure will help these organizations with accurate and timely disclosures of attacks or material incidents. Having these controls and established procedures will also aid companies in satisfying their disclosure obligations for federal security laws.
What are the most significant changes: Business are now required to disclose more cyber risks and to refine their insider trading policies for senior executives and boards of directors in order to prove that they are taking cybersecurity seriously.
Companies must inform investors in a timely fashion of all material risks and incidents and provide updates when facts change. When facts change, timely updates must occur at least quarterly.
As a result of the Equifax breach, the SEC is also “reinforcing the importance of policies and procedures around insider trading for cyber security incidents.”
The companies should also “continually review risk factors, policies, and issue non-generic risk language to investors in disclosures.”
The prohibiting of trading corporate shares after a breach is discovered will apply to both directors and officers. Disclosures of the incident and risk must be made in a timely fashion and prior to the offer and sale of securities by these individuals.
Is it enough?: Many argue that these revisions are a good step, but not enough given the frequency and severity of breaches that continue to occur. SEC Chairman Clayton shared, “I have asked the division of corporation finance to continue to carefully monitor cybersecurity disclosures as part of their selective filing reviews. We will continue to evaluate developments in this area and consider feedback about whether any further guidance or rules are needed.”
Working for a company that actively detects threats every day I get the rare opportunity to hear and see how a wide variety of companies are preparing for executive, board, and compliance disclosure. There are limitless approaches but, in the end, it always comes down to how early threats are detected and how long it takes to understand, stop, and remediate the threat. Attivo Networks® has made significant investment in the ThreatDefend™ Platform to be able to efficiently detect, analyze and respond to incidents. This includes built in forensic and other incident management tracking so that organizations both large and small get the actionable insight to quickly shut down the attack and remediate against the incident. With pressures for early disclosures mounting, it is now more critical than ever to not only detect early, but also to gather enough information to quickly understand and respond to the attack. For insight on how the Attivo Networks deception and response platform can simplify responding to these demands, contact firstname.lastname@example.org.