The Daily Swig Web security digest

New SEC guidelines call for clearer breach disclosures

Jessica Haworth | 23 February 2018 at 16:30

Agency also warns company bosses against selling stock following a cybersecurity incident.

The US Securities and Exchange Commission (SEC) has issued new disclosure guidelines for companies that have been subject to a security breach.

Advice published today from the SEC calls on public companies who have fallen victim to a hack to release details of the incident as quickly as possible.

The securities agency also warned executives against trading shares if they have knowledge of a breach before it’s been publicly disclosed.

All five members of the commission voted unanimously to approve the advice, though two Democratic commissioners warned that the guidelines are a re-hash of cybersecurity standards issued in 2011.

The new guidance reads: “Given the frequency, magnitude and cost of cybersecurity incidents, the commission believes that it is critical that public companies take all required actions to inform investors about material cybersecurity risks and incidents in a timely fashion.”

Guidelines also inform companies that they cannot use law enforcement investigations to avoid reporting any breaches.

But the statement was blasted by two Democrat commissioners who claimed that US cybersecurity policy still isn’t robust enough.

Robert Jackson wrote: “I reluctantly support today’s guidance in the hope that it is just the first step toward defeating those who would use technology to threaten our economy.

“The guidance essentially reiterates years-old staff-level views on this issue. But economists of all stripes agree that much more needs to be done.”

The statement comes as the Justice Department revealed it is investigating Equifax executives who dumped shares before making the 2017 hack public knowledge.

Equifax discovered a breach on July 29 that saw the personal information of more than 145 million customers being compromised.

But it took the credit rating agency until September 7 to release details of the leak – days after top bosses sold shares in the company.

The Justice Department is now investigating after three execs sold a combined $1.8 million on August 1 and 2.

They deny they had any knowledge of the security breach at the time of the sales.

Also last year, the CEO of Intel was criticized when he sold stock following the discovery of the Spectre and Meltdown vulnerabilities.

Intel was notified of the attacks in June. Documents available on the tech firm’s website indicate that CEO Brian Krzanich sold $24 million worth of shares – before the company made details of the breach public.

The company claimed the stock shares were unrelated to the breach and that the sale had been planned, but Krzanich was widely criticized for the move.