What the SEC and Congressional Crackdown Means for Public Boards

Nicholas J Price
6 min read
It's fascinating to think about all of the amazing things that a tiny silicon microchip can do. They hold a universe of information. The more information they hold, the more susceptible they are to being hacked. While the race for enhanced technology marches on, another race simultaneously takes place to protect the public from hackers.

Perhaps, someday, we'll find a solution to cybersecurity, but to date, we don't have any perfect solutions. However, there are things that we can do.

Public companies can invest some of their profits in taking the most appropriate security measures possible. If a data breach occurs, they can quickly investigate any suspicions of a breach and notify customers as early as possible. It's also necessary to make sure that potential breaches don't affect trading for those who have inside information on cyber leaks.

The SEC Produces New Guidelines After Spectre and Meltdown Vulnerabilities Made Public

The general public doesn't always learn the names of the common microchips that are household names around Silicon Valley. That all changed when Intel and other IT companies revealed a design flaw with the Spectre and Meltdown microchips. A tiny design flaw created a big opening for hackers to steal private information. A tiny chip suddenly became a big problem.

Microchips run all essential processes on laptop computers and mobile devices. The microchips handle extremely sensitive information, such as passwords and encryption keys. These functions keep data securely in the hands of those who have access to it.

Intel and other IT companies wisely disclosed the issue with the Spectre and Meltdown chips, noting that the issue may pose a security risk to consumers. To date, we don't know that there have been any problems with information getting stolen, but at least now there's public disclosure about the potential vulnerabilities.

SEC Publishes Updated Guidelines About Cybersecurity for Public Companies

Perhaps not so surprising is how quickly the SEC moved to publish updated guidelines for public companies regarding the expected standards for cybersecurity. The SEC released the update within two months after the disclosure of the Spectre and Meltdown flaws.

The new guidelines inform public companies about how and when they must disclose any identified cybersecurity vulnerabilities or other incidents that may cause risk to the public.

Of course, the challenge is to figure out exactly how to hold companies accountable for a cyber breach. The news about the Spectre and Meltdown flaws, along with the new SEC guidelines, alerts the government, businesses and consumers to potential problems.

Cyber Breaches Highlight the Need to Monitor Public Trading Prior to Public Notification

It's concerning that the electronic devices that nearly everyone uses on a daily basis could pose such a large security risk. However, on a larger level, a few of the early incidents of cybersecurity breaches also highlight the need to monitor public trading when there is any suspicion of a cybersecurity breach.

Equifax and Intel provide examples of unethical trading behavior after executives at their companies became aware of a cyber breach.

The breach of Equifax data exposed the sensitive information of almost 145.5 million Americans. Prior to notifying the public of the breach, three company executives engaged in selling their shares in the amount of about $2 million within days after the breach was discovered. The same executives waited more than a month to notify the public. Equifax lost $4 billion in market value during the breach.

Intel CEO Brian Krzanich also sold millions of dollars worth in Intel company shares after he was notified that the Spectre and Meltdown chips had serious security vulnerabilities. The company failed to notify the public of the breach at their earliest opportunity.

What Do the New Guidelines Mean for Public Boards?

The SEC issued the Commission Statement and Guidance on Public Company Cybersecurity Disclosures on February 21, 2018.

The new guidelines warn public boards that security breaches and vulnerabilities can be considered 'material' information. Current U.S. securities laws state that insiders may not trade stocks based on information about the potential for a share price drop before the news becomes public. Trading after the official public notice of a cybersecurity breach is clearly illegal. Such tactics may also violate a corporation's ethics and insider trading rules.

All public companies should consider that they will be attacked at some point, regardless of the type of business they run. No public company is immune from a breach.

Public companies should make a point to learn the SEC guidelines and implement any appropriate cybersecurity measures accordingly.

The SEC understands that investigating a cybersecurity breach can take weeks or months. The SEC doesn't require notifying the public of a breach before they can complete an investigation. However, the new guidelines indicate that corporations may not delay steps to remedy the risk or reveal the breach to shareholders, stakeholders and the public.

In addition, public companies must form a comprehensive plan to respond to incidences of cybersecurity breaches, including notifying customers as soon as possible. These steps are particularly important for companies that use sensitive personal information such as Social Security numbers or other financial information. The SEC expects companies to follow regulations and industry standards in protecting consumers and stakeholders from material damage.

Of high importance is for public companies to halt public trading until the investigation is over, including stopping automated trades. Stopping trading will avoid any unnecessary suspicions of insider trading or stock dumping.

Some Final Remarks About the Crackdown on Cybersecurity for Public Boards

Microchips are tiny but mighty, and they can have mighty vulnerabilities. The public must be aware that improper handling of a cybersecurity breach poses the risk of public mistrust and reputational risk, which are both risks that are difficult to overcome.

While recent major breaches have caught the attention of lawmakers, there are currently no direct measures on the law books just yet, although there could be soon. The Data Security and Breach Notification Act is a new bill on the horizon. If passed, the Act would create the first federal standard that requires public companies to notify customers of a breach within 30 days. The Act, if passed in its current form, would also come with a maximum five-year prison sentence for companies that knowingly hide a breach. A positive part of the Act would give companies financial incentives for using technology that erased personal data once it was breached.

There may be more to come to address cybersecurity breaches, so companies will need to keep an eye on any new or pending legislation in order to make sure that they remain in compliance. SEC guidelines and new laws may be exerting pressure for increased protections, rather than leaving companies to embrace stronger cybersecurity measures at their own pace.