Few Companies Report Hacks to Investors, SEC’s Jackson Says

Stay current on changes and developments in corporate law with a wide variety of resources and tools.

By Jacob Rund

Less than 5 percent of public companies that reported data breaches to regulators last year disclosed those hacks to investors, SEC Commissioner Robert Jackson said March 15.

Jackson, speaking at the Tulane Corporate Law Institute in New Orleans, called on companies and their counsel to strive for greater transparency when facing cybersecurity issues.

Disclosures of breaches to investors have been lacking, he said, adding that his staff conducted its own review of data breaches reported to regulators and the media and was “surprised” by the results. “Of 81 cybersecurity incidents at public companies in 2017, only two companies chose to file” a form 8-K with the Securities and Exchange Commission to disclose it to the investing public.

While it’s possible that not all of the cyber events were material and required disclosure to investors, “there is significant evidence that events like these matter to the market,” said Jackson, a Democrat who joined the SEC in January. “America’s companies and corporate bar can do better.”

The SEC issued new guidance Feb. 21 on how public companies should report cyber breaches and related threats. It underscored that it is important for companies to have processes in place for informing executives and investors of these issues.

Jackson joined the other four commissioners in voting to issue the SEC guidance in February, but added that he was “reluctant” to do so. In a statement following the vote, he said the guidance reiterated “years-old, staff-level views” and might not have gone as far as it should have.

Prior to the guidance, the commission, which recently experienced its own hack, last issued instructions on cybersecurity disclosures in 2011.

Jackson said March 15 that he has called on the SEC to give “careful consideration” to new 8-K requirements for cyber events. But “any rules we make are only as good as the the work of the lawyers in the boardroom.”

Insider Trading

Jackson also called into question the existing rules and laws governing insider trading on information about undisclosed cyber events. We “may want to ask ourselves whether the insider trading law we have is adequate to meet” new challenges facing companies, he said.

Former Equifax executive Jun Ying is the latest high-profile example of alleged insider trading based on knowledge of a cyberattack. Federal prosecutors charged Ying on March 14 with profiting off the breach of the credit reporting agency that affected more than 140 million consumers.

Jackson asked whether enough is being done in boardrooms to prevent this type of illegal trading, and said he worries whether sound internal policies “have made their way across the wide spectrum” of industries that make up U.S. markets.

To contact the reporter on this story: Jacob Rund in New Orleans at jrund@bloomberglaw.com

To contact the editor responsible for this story: Fawn Johnson at fjohnson@bloomberglaw.com

Copyright © 2018 The Bureau of National Affairs, Inc. All Rights Reserved.

Request Corporate on Bloomberg Law