The U.S. Securities and Exchange Commission (SEC) is updating its cybersecurity guidance that provides information on how publicly traded companies should report data breaches to their investors. The updates are expected to take effect in the first and second quarter of this year, and it will require that investors are notified of all data breaches, instead of only notifying them of major cyber attacks.
The new update will include rules about sending timely breach notifications to senior management. Secondly, the upcoming guidance is expected to address how firms should disclose cybersecurity events that represent a material risk to their investors. In addition, it will provide information on how firms can create a blackout to prevent insider trading following a cybersecurity event.
“At the heart of SEC regulations is the recognized need for preparedness in the financial industry,” said Eldon Sprickerhoff, founder and chief security strategist at cyber security company eSentire. “Identifying risks, writing policies and procedures, and having the appropriate defenses in place are essential for businesses in 2018.”
When the cybersecurity guidance was released in 2011, it was not mandatory for public companies to report every data breach to investors, but focused mainly on major attacks that would affect the company’s business. Since that time, there has been an increase in the amount of data security incidents that include the Equifax breach (over 145 million U.S. consumers affected), Yahoo (3 million users accounts hacked), and the compromise of the SEC’s own database with nonpublic information.
Because the guidance was not mandatory for companies, many firms did not spend enough time strengthening their cybersecurity stance. Firms would only offer limited examples of safeguards for employees. For example, according to the SEC Cybersecurity examinations, companies would conduct annual customer protection reviews less frequently, security protocols would only be performed annually or not at all, employees were unclear whether certain activity was permissible, and limited cybersecurity awareness training was performed.
“There is no doubt that with the combination of incoming GDPR implementation and the Equifax event last year, the SEC will increase the spotlight on Incident Response preparedness,” said Sprickerhoff. “Financial organizations with affiliate or domiciled firms in the U.S. must be prepared to present documentation, policies and procedures, and tangible evidence related to cybersecurity matters, or face the consequences.”