Last summer’s highly publicized Equifax breach prompted conversations (but inexplicably no action) by congressional lawmakers on a company’s legal responsibilities in lieu of a data breach. Of particular concern and outrage in the weeks after Equifax’s disclosure was news that company executives sold stock within mere days from the breach’s discovery. Although a special committee cleared the executives of any insider trading, the news of the coincidental stock sales was publicly panned. Similar suspicions were once again raised over news that Intel CEO Brian Krzanich sold $24 million worth of stock after his company learned of a major security vulnerability in its PC processors.
As skepticism abounds over the legality of stock sales by public companies who suffer recent data and security incidents, the Securities and Exchange Commission has decided to join the discussion. Titled “Guidance on Public Company Cybersecurity Disclosures,” the SEC puts public companies on notice — Sellers beware after a data breach.
Directors, officers, and other corporate insiders must not trade a public company’s securities while in possession of material nonpublic information, which may include knowledge regarding a significant cybersecurity incident experienced by the company.
The Guidance can be broken down into two plain directives: the need for timely disclosure and cybersecurity policies and procedures.
The SEC’s directive to public companies who suffer a cybersecurity incident is straight-forward: Timely disclose the incident to investors prior to any offer or sale of securities. That’s not all, though. Even the absence of any specific incident should not preclude public companies from proactively reporting on its cybersecurity posture. This proactive reporting should occur through ongoing disclosure filings, such as periodic reports on Form 10-K and form 10-Q, both of which require disclosure of risk factors, and current reports like Form 8-K. Further, the SEC believes cybersecurity incidents, costs, and risks implicate disclosures that speak to risk factors, legal proceedings and board risk oversight (to name a few) on Regulation S-K.
Cybersecurity Policies and Procedures
The SEC also emphasizes the need for public companies to have appropriate cybersecurity policies and procedures in place, particularly with regards to how risks and incidents are processed and reported to senior management. Cybersecurity controls, or the lack thereof, directly implicate the fiduciary duty expected of the board and can give rise to shareholder derivative suits (see Home Depot, Target, and Wyndham). The SEC points to the mandatory disclosure controls and procedures as required by Exchange Act Rules 13a-15 and 15d-15, stating “Controls and procedures should enable companies to identity cybersecurity risks and incidents, assess and analyze their impact on a company’s business, evaluate the significance associated with such risks and incidents, provide for open communications between technical experts and disclosure advisors, and make timely disclosures regarding such risks and incidents.” Not a very short punch list, to say the least.
The Equifaxes and IBMs are now on notice that the Commission plans to monitor and may even investigate even the mere appearance of insider trading after any data breach event. “Companies would be well served by considering how to avoid the appearance of improper trading during the period following an incident and prior to the dissemination of disclosure.” As public companies reliance on information and communication technology continues to exponentially increase, adequate cybersecurity measures should now be firmly included in the cost of doing business.