SEC May ‘Refresh’ Cybersecurity Disclosure Guidance: Official

Stay up-to-date with the latest developments in securities law through access to both news and all statutes and regulations. Find relevant corporate filings through a searchable EDGAR database. And...

By Andrew Ramonas

The SEC is looking to give companies more direction on reporting cybersecurity issues, a top agency official said Nov. 9 following Equifax Inc.’s massive data breach.

The Securities and Exchange Commission may issue a “refresh” of 2011 staff guidance on disclosing cyberattacks to help give companies a better understanding of the agency’s thinking on the matter, William Hinman, director of the agency’s Division of Corporation Finance, said at a Practising Law Institute conference in New York.

Under the staff guidance, companies may have to report incidents that affect their financial condition.

The SEC recently has seen “more and more events happen” at companies, which have a “range of approaches on disclosure” about cybersecurity, Hinman said, without identifying any corporations by name.

“I think this issue is important enough, wide-ranging enough that we’d like to see the commission itself speak to the topic,” he said at the 49th Annual Institute on Securities Regulation.

`Thoughtful’ Policy Important

Hinman’s remarks came after lawmakers this fall told SEC Chairman Jay Clayton that Equifax executives may have profited from confidential information about the hacking that exposed the data of more than 100 million users. Clayton said in September that a “thoughtful insider trading policy” with controls for trading stock on material information is an “important part of good corporate hygiene.”

The new guidance likely will emphasize that details on cyberattacks can be material nonpublic information, Hinman said. “I think it would be wise for folks to re-examine their insider trading policies to perhaps specifically take into account how they will deal with events that are occurring,” he said.

The update also probably will remind companies to look at their disclosure controls and escalation procedures when they experience cyber incidents, Hinman said.

The events should be “looked at properly by the right levels of management with an eye toward not just handling the attack, but also the implications of the attack on the business itself,” he said.

A spokesman for Clayton didn’t immediately respond to a request for comment.

To contact the reporter on this story: Andrew Ramonas in Washington at

To contact the editor responsible for this story: Phyllis Diamond at

Copyright © 2017 The Bureau of National Affairs, Inc. All Rights Reserved.

Request Securities & Capital Markets on Bloomberg Law