You are here
Cybersecurity guidance from SEC lacks teeth
AGATHA Christie's fictional sleuth, Miss Marple, once said in a BBC adaptation that "good advice is almost certain to be ignored, but that's no reason for not giving it." That may reflect how companies will respond to guidance recently issued by the Securities and Exchange Commission (SEC) about how companies should deal with cybersecurity threats.
Security breaches at companies like Equifax, Target and Yahoo over the past few years have exposed the personal information of millions of consumers. The federal government isn't immune to hackers, either. The systems of the Office of Personnel Management and even the SEC have been breached.
The response from companies usually seems to be about keeping a lid on the hack. That's something the SEC would like to end, but its guidance may not go very far in changing how companies deal with cybersecurity issues.
The SEC's guidance is full of good advice. The regulator tells companies that they need to have in place "disclosure controls and procedures that provide an appropriate method of discerning the impact that such matters may have on the company and its business, financial condition and results of operations."
Just as important, companies are expected "to disclose cybersecurity risks and incidents that are material to investors, including the concomitant financial, legal or reputational consequences." Those are worthwhile reminders, but the SEC has yet to institute any direct measures to compel companies to reveal the nature and scope of a cybersecurity breach.
The Equifax breach, which affected more than 140 million people, came to the company's attention in late July, but the public didn't learn of it until early September. Whether keeping quiet for almost six weeks can be considered timely disclosure is an open question, but nothing happened to the company because of the delay.
There will always be at least some lag time between discovering a theft of information and an assessment of its extent. Hackers don't want to be discovered, so the scope of a breach may not be immediately apparent.
But the SEC pointed out that "an ongoing internal or external investigation - which often can be lengthy - would not on its own provide a basis for avoiding disclosures of a material cybersecurity incident."
The SEC also warns companies about the potential for insider trading when they learn about a breach, which inevitably has a negative effect on the stock price once it is disclosed. It cautioned that "companies would be well-served by considering how to avoid the appearance of improper trading during the period following an incident and prior to the dissemination of disclosure."
For example, just a few days after the breach at Equifax came to the company's attention, four members of management, including the chief financial officer, sold US$1.8 million worth of shares. An investigation by a special committee of the board of directors exonerated them, finding that none knew about the breach at the time, a key requirement to prove insider trading.
The problem is that even the perception that corporate executives sold shares before disclosing a cybersecurity problem can compound the negative publicity surrounding a breach.
The SEC's guidance is certainly welcome, and it may nudge companies to be more aggressive in policing stock sales when a cybersecurity problem comes to light. The problem is that the advice can be easily ignored when a breach occurs. If the SEC wants to send a message to companies, it may need to ratchet up the pressure by pursuing an enforcement action.
Nothing gets the attention of corporate directors and executives like a case that describes how a failure to respond in a timely fashion resulted in a violation of disclosure requirements.
The problem is that proving a case can be difficult because the standard for when information must be revealed is so elastic. Companies must reveal "material" information in a timely manner, which the Supreme Court said in Basic vs Levinson depended "on the significance the reasonable investor would place on" it.
The point at which a cybersecurity breach reaches that level is almost impossible to describe with any precision.
And that gives companies flexibility in deciding when the handiwork of hackers becomes material information for investors, despite the SEC's push for earlier disclosure. NYTIMES