Back To Top

SEC Guidance on Cybersecurity

On Wednesday, the SEC issued new guidance for public companies on the disclosure of information about a cybersecurity incident or risk.


The previous guidance was issued in October 2011 and a lot has changed since then.  The new guidance is not clear on some of the expectations about timing of informing the public or the significance of an event that would require this.  I am sure we will get more expert guidance and opinions in the coming weeks.

The guidance is clearly directed towards insider trading.  There have been a number of highly publicized insider trading allegations there were three senior executives at Equifax that sold shares in the company a few days after Equifax discovered the data breach that resulted in the release of 143 Million people’s personal information.  Equifax did not announce the breach to the public until a month later.

The guidance states: “Where a company has become aware of a cybersecurity incident or risk that would be material to its investors, we would expect it to make appropriate disclosure timely and sufficiently prior to the offer and sale of securities and to take steps to prevent directors and officers (and other corporate insiders who were aware of these matters) from trading its securities until investors have been appropriately informed about the incident or risk.”

The guidance does not specify what controls a company needs to have in place but does specify that companies must “have procedures and policies in place” to prevent insiders from trading based on non-public information concerning these types of events.

“I believe that providing the commission’s views on these matters will promote clearer and more robust disclosure by companies about cybersecurity risks and incidents, resulting in more complete information being available to investors,” SEC Chairman Jay Clayton said in a news release. “In particular, I urge public companies to examine their controls and procedures, with not only their securities law disclosure obligations in mind, but also reputational considerations around sales of securities by executives.”

We will be monitoring this guidance to see how it impacts smaller public companies but I would expect policies for trading during a cyber-event as well as releasing information more quickly will be required if you have an event.  And because this is considered clarification of an existing rule rather than a new rule, follow up on past events such as the Equifax accusations could be expected.


curtis-thompsonThroughout his time at YHB Curtis has provided IT audit and consulting to clients, even while holding the position of the firm’s IT director for several years. Now, as head of the YHB Risk Advisory Services Team, Curtis focuses on assisting organizations in a variety of industries with internal audits and IT-related audit and consulting services. Also, he frequently speaks and gives presentations on SOX compliance, internal controls, and data security.