SEC stresses insider trading in new cyber guidancePosted On: Mar. 6, 2018 7:14 AM CST
New cyber security guidance issued by the U.S. Securities and Exchange Commission warns publicly held companies’ boards of directors to be alert to insider trading and the need to implement cyber security procedures and protocols.
But some observers — including two Democratic SEC commissioners — feel it adds little to the SEC’s 2011 guidance on this issue.
Experts say the latest guidance stresses in particular warnings against insider trading; the need for directors to stay on top of the issue of cyber security by introducing policies and procedures; and the requirement that firms disclose “material” issues related to cyber security.
The 24-page guidance “reinforces and expands the SEC’s 2011 guidance,” said SEC Chairman Jay Clayton in a Feb. 21 statement accompanying the new guidance.
Although the commission unanimously approved the guidance, two commissioners said it did not go far enough.
Commissioner Kara M. Stein said in a statement released the same date: “Unfortunately, despite the staff’s best effort to develop guidance that elicits robust disclosure to investors, meaningful disclosure has remained elusive.” She said she is “disappointed with the Commission’s limited action.”
Commissioner Robert J. Jackson Jr. said in a separate statement: “The guidance reiterates years-old staff-level views on the issue. But economists of all stripes agree that much more needs to be done.”
He quoted the Council of Economic Advisers as stating regulators can devise a “scheme of penalties and incentives” that will help raise cyber security investment levels “to the socially optimal level.”
Kevin LaCroix, executive vice president of RT ProExec, a division of R-T Specialty L.L.C., in Beachwood, Ohio, said it is noteworthy that the two Democrat commissioners on the SEC “were critical of the guidelines for not going far enough, so right away you’ve got voices on the commission that feel the commission should be doing even more to encourage companies to be more forthcoming with their disclosures.”
He said probably the most significant thing about the guidance is that the SEC “felt obligated to issue it,” said Mr. Lacroix. “They clearly wanted to send a message to reporting companies they needed to be forthcoming about disclosure of cyber security events.”
“I think that it was much ado about nothing, frankly,” LaDawn Naegle, managing partner with Bryan Cave L.L.P. in Washington, said of the guidance.
“I agree with many who have observed that it’s really just a reminder by the Commission of the prior guidance that had been issued by the staff with respect to a company looking at cyber security risk and cyber security incidents” and conducting an analysis of what is material and how best to disclose it, Ms. Naegle.
David M. Furbush, a partner with Pillsbury Winthrop Shaw Pittman L.L.P. in Palo Alto, California, said: “The most meaningful takeaway for me is their emphasis on certain issues,” which suggests these may become enforcement priorities.
There are “repeated mentions in the guidance of policies and procedures that will prevent insiders from trading in the company’s stock during the period of time when they know there’s a cyber security incident that’s not then publicly discussed,” he said.
Mr. Furbush said he suspects the SEC will be “very diligent” in enforcing insider trader rules when this occurs.
Executives of Atlanta-based Equifax Inc. had sold company stock before its data breach was publicly announced. The company later said in a statement that none of the executives had been aware of the breach when their trades were made.
There was also a lot of emphasis on the extent of cyber security oversight, Mr. Furbush said. He said he believes if it appears a company had inadequate policies and procedures, the SEC will examine whether this was because of the board’s failure to oversee the issue.
Brian H. Lam, an associate with Mintz, Levin, Cohn, Glovsky & Popeo P.C. in San Diego, said the guidance “shows that the SEC is serious about this.” But “what will really spur people to take this seriously” is how the SEC pursues the issue, Mr. Lam said.
Mark L. Krotoski, a partner with Morgan, Lewis & Bockius L.L.P. in Palo Alto, said the guidance “does provide a level of flexibility. In contrast to other cyber security regulations, which are mandated, specific requirements, this one does afford some measure of assessment of the facts.”
“I don’t know how they would go further, shy of promulgating express and mandatory disclosure requirements,” said Rachel K. Paulose, a partner with DLA Piper L.L.P. in Minneapolis, who is a former SEC senior trial counsel.
At the highest level, boards “should go through the experience of educating themselves about the company’s defenses against cyber security attacks and the company’s plans and procedures for dealing with when that happens,” said Mr. Furbush.
Companies should re-form their policies “to explicitly prohibit insider trading around cyber incidents,” said Ms. Paulose.