Last month, the Securities and Exchange Commission (S.E.C.) released new guidance for public companies that encourages senior leadership to prioritise cybersecurity and disclose security breaches and risks that may be relevant to investors.
Some experts have criticised the agency for not releasing more stringent recommendations, citing a lack of consequences for companies who don’t heed this advice. But, however small, we believe the S.E.C. recommendations are a step in the right direction.
Here are three key things to know about the S.E.C.’s new guidelines.
1. Companies must disclose cybersecurity risks as well as incidents
In its statement, the S.E.C. asserts that public companies must not only disclose major cybersecurity incidents and the impact of those incidents but also must reveal any cybersecurity risks that are material to investors, whether or not they have resulted in a full-fledged attack.
2. The S.E.C. zeros in on specific types of cyber attacks
Ransomware, phishing, SQL injection, and DDoS attacks are all highlighted specifically by the S.E.C. We are particularly encouraged by the guidance around DDoS attacks. It’s not enough, according to these new parameters, for companies who have previously been targeted by a DDoS attack to inform investors that another attack might occur in future. Instead, senior leadership must expose the previous incident in detail along with the impact it had on the business.
3. Following a breach, organisations should police stock sales
When companies learn about a breach, the potential for insider trading is high. And even if no insider trading occurred, this perception can have a negative effect on stock price. The S.E.C. suggests that companies would be “well served by considering how to avoid the appearance of improper trading during the period following an incident and prior to the dissemination of disclosure.”
The S.E.C.’s guidance underscores the need for a multifaceted cybersecurity strategy. For help complying with these recommendations and implementing the right measures at your organisation, contact us.