IT Insights Updated SEC Cybersecurity Guidance Are You in Compliance?
EQUIFAX STOCK FELL 35% after a massive data breach was revealed — and at least one executive is facing criminal charges. Target’s quarterly net earnings plunged 46% following the news that credit card information had been compromised for as many as 110 million customers. Facebook’s handling of private information, although not technically a breach, has caused serious damage to its reputation and resulted in founder Mark Zuckerberg being called before Congress. Such threats are not new. In 2011, the U.S. Securities and Exchange Commission (SEC) released a set of guidelines for how public companies should disclose cybersecurity risks and breaches to their shareholders. At that time, organizations were beginning to recognize just how much of an impact cybersecurity (or lack thereof) was having on their earnings value. Seven years later, the threats are more obvious and the public has higher expectations for how companies will protect their data. The SEC has also updated its cybersecurity guidance. The new guidance became effective February 28, 2018, and public companies should make sure their policies and procedures enable them to comply.
What Changed? THE SEC, PLAIN AND SIMPLE, WANTS MORE thorough reporting. Not only will public companies have to report cybersecurity risks they face, but they will also be expected to disclose, in detail, how they are guarding against future breaches. While the SEC recognizes that no system is infallible, they do expect public companies to prove that they are doing their absolute best to prevent breaches, and reporting breaches promptly when they do occur. Insider Trading Insider trading is obviously a major concern for the SEC. The highly publicized Equifax breach revealed suspiciously timed trades by its executives, and in March 2018, one of the company’s chief information officers was charged with insider trading. The new guidance hits this recommendation hard, repeatedly emphasizing the importance of policies to prevent insider trading and to prevent selective disclosure of material information. The SEC has not historically required specific policies, instead embracing a more principles-based approach; nevertheless, the agency will scrutinize the policies that companies implement. Prevention and self-examination are wise strategies, such as employing a third party to examine off-schedule trades that occurred around the same time as a breach.