Companies Get New SEC Direction on Cyber Issues as Hacks Mount

Stay current on changes and developments in corporate law with a wide variety of resources and tools.

By Andrea Vittorio

The SEC issued Feb. 21 new guidance for how public companies should report cyberthreats and breaches to investors as a number of high-profile hacks put a spotlight on the issue.

Securities and Exchange Commission Chairman Jay Clayton said it “reinforces and expands” staff guidance from 2011 for making cybersecurity disclosures under existing reporting requirements.

Hacks have reached a new high since then, with U.S.-listed companies such as Equifax Inc. and Verizon Communications Inc.’s Yahoo! disclosing 64 security breaches in 2017, according to data provided by Audit Analytics. That’s up from 38 breaches in 2012.

The commission’s new guidance stresses the importance of having corporate processes in place for reporting cyberattacks up the corporate ladder and informing investors.

It also reminds companies that executives, directors, and others with insider knowledge of such attacks shouldn’t trade on that information before it’s made public. Equifax executives faced heat over stock sales they made days after its breach was discovered, though the company’s board later said they had no knowledge of the attack at the time.

“I believe that providing the commission’s views on these matters will promote clearer and more robust disclosure by companies about cybersecurity risks and incidents, resulting in more complete information being available to investors,” Clayton, an independent, said in a statement. “In particular, I urge public companies to examine their controls and procedures, with not only their securities law disclosure obligations in mind, but also reputational considerations around sales of securities by executives.”

‘Reluctant’ Support

The commission, which recently revealed a hack of its own, unanimously approved the guidance in a vote behind closed doors the day before it was set to be considered at a public meeting. That meeting was canceled.

The directive didn’t go as far as the commission’s two Democratic members had hoped, though the SEC says in the guidance that it continues to consider “other means” of promoting better cyber disclosures.

Commissioner Robert Jackson said he gave his “reluctant” support. “The guidance essentially reiterates years-old staff-level views on this issue,” Jackson, who joined the SEC in January, said in a statement. “But economists of all stripes agree that much more needs to be done.”

He said that includes the White House’s Council of Economic Advisers, which in a Feb. 16 report cited concerns that companies are underreporting cyberattacks and data breaches. Fellow Democratic Commissioner Kara Stein, who has called current cyber disclosures “far from robust,” likewise put out a statement saying she was disappointed with the SEC’s “limited action.”

“Simply put, seven years since the staff guidance was released, despite dramatic increases in cyberattacks and their related costs, there have been almost imperceptible changes in companies’ disclosures,” Stein said. “This to me strongly suggests that guidance alone is inadequate.”

To contact the reporter on this story: Andrea Vittorio in Washington at

To contact the editor responsible for this story: Yin Wilczek at

Copyright © 2018 The Bureau of National Affairs, Inc. All Rights Reserved.

Request Corporate on Bloomberg Law