Over the past year, cyber threats and risks have drastically increased in severity creating critical information security challenges, many of which have resulted in data breaches. In response to the evolving risk landscape, the U.S. Securities and Exchange Commission (SEC) approved the update to its cybersecurity guidance, which offers the SEC’s views about public companies’ disclosure obligations involving cybersecurity risk and incidents.
Publicly traded organizations currently utilize this guidance as a benchmark for reporting data breaches to investors. The SEC intends to improve disclosure standards by requiring organizations to better communicate their risk profile. The changes will require organizations to review the processes in which information is distributed internally and externally, as well as the surrounding controls and procedures.
“Companies today rely on digital technology to conduct their business operations and engage with their customers, business partners and other constituencies. In a digitally connected world, cybersecurity presents ongoing risks and threats to our capital markets and to companies operating in all industries, including public companies regulated by the Commission. As companies’ exposure to and reliance on networked systems and the Internet have increased, the attendant risks and frequency of cybersecurity incidents also have increased,” stated the SEC.
With the updated guidance, the SEC will address two major concerns: breach notification and insider trading.
After numerous accounts of delayed data breach notifications, from Yahoo to Uber, the SEC plans to tighten notification requirements. Revisions surrounding breach notifications will be similar to that of the European Union’s General Data Protection Regulation (GDPR).
Under GDPR, organizations will be required to notify regulators within 72 hours. However, the SEC’s expected notification timeline will require an immediate private-detection notification, as well as a timely, public notification using an 8-K disclosure form. Issuing an 8-K form will notify shareholders of an event that may affect them.
The revised cybersecurity guidance focuses on post-breach processes and, specifically, strengthening insider trading policies. By re-examining affiliated controls and procedures, the SEC aims to improve insider trading prevention with constant vigilance.
The new guidance will require that all trades following a data breach or cyber event be monitored and assessed by the general counsel’s office. Moreover, the SEC believes that streamlining its regulations for insider trading will increase the number of public offerings.
Compliance with the guidance is currently not mandated; however, organizations can face consequences if investors are misinformed about a data breach or risk profile. As cyber-attacks continue to increase, as well as the complexity of them, it’s important to safeguard your organization through policies and procedures to protect against public disclosure and insider trading. Instilling a cybersecurity risk assessment to assess cyber threats, and evaluate disclosure controls and procedures will be essential to measuring the effectiveness of the program in place.
To learn more about the SEC Cybersecurity Guidance and changes, contact us at [email protected] or call 1-888-702-5446 to have an experienced cyber risk professional answer your questions.