The United States Securities and Exchange Commission (SEC) has warned public companies that they not only need to do more to fulfil their obligations to transparency and openness with investors about cybersecurity breaches, but they also must disclose other infosecurity risks.
The point to underline here is that it's not just a hack or data loss that needs to be communicated openly with investors, but also the risks to companies not previously targeted:
"it is critical that public companies take all required actions to inform investors about material cybersecurity risks and incidents in a timely fashion, including those companies that are subject to material cybersecurity risks but may not yet have been the target of a cyber-attack."
So, for instance, if you were a technology manufacturer who had become aware of a serious security vulnerability in one of your shipping products which could potentially be exploited by a malicious hacker, the disclosure of the problem needs to be handled appropriately and responsibly - even if there is no reason to believe that anyone is currently taking advantage of the flaw.
What you definitely should not do, in the eyes of the SEC, is take advantage of privileged insider knowledge of a security risk to sell millions of dollars worth of the company's stock knowing that there is a good chance bad news is around the corner.
As the updated guidance explains:
...directors, officers, and other corporate insiders must not trade a public company’s securities while in possession of material nonpublic information, which may include knowledge regarding a significant cybersecurity incident experienced by the company. Public companies should have policies and procedures in place to:
(1) guard against directors, officers, and other corporate insiders taking advantage of the period between the company’s discovery of a cybersecurity incident and public disclosure of the incident to trade on material nonpublic information about the incident, and
(2) help ensure that the company makes timely disclosure of any related material nonpublic information.
The advice is timely, as recently two large companies have come under fire after it was discovered that executives had sold millions of dollars worth of stock between discovering a cybersecurity breach or vulnerability and then disclosing the issue to the public.
Even if the executives in those cases had no direct knowledge of the cyber risk before they sold their stock, the SEC is obviously keen to avoid any perception by the public that impropriety has occurred.
What the SEC doesn't do, however, is provide clear guidance about what cybersecurity risks should be considered "material" and which should not. And although that will undoubtedly provoke some criticism, amid fears that companies' legal teams will use the ambiguity to hide details of threats, at least the SEC appears to be sending a message that public companies need to improve their infosecurity response, and that that response needs to be co-ordinated at board level.
In short, the SEC is sending a message that it will be watching businesses' response to security incidents closely - in particular when it comes to just how long it takes for a public company to go public with details of a breach, and the accuracy of any statements it makes.
One gets the impression that there are some members of the SEC who would like to see stronger and more stringent guidance for public companies in the future - which surely would be a good thing for the majority of us who don't hold any shares in a particular business, but certainly do care a great deal if it loses control of the personal data we have entrusted to it.