[BreachExchange] SEC Plans Cybersecurity Guidance Refresh: What to Expect

[Audrey McNeil]

https://www.databreachtoday.com/sec-plans-cybersecurity-
guidance-refresh-what-to-expect-a-10554

The U.S. Securities and Exchange Commission is planning to update its
6-year-old cybersecurity guidance for how publicly traded firms report data
breaches to investors.

The agency has indicated that it expects to refine guidance around how
businesses disclose cybersecurity risks to investors as well as require
insider trading programs to include blackout rules in the event that a
suspected data breach gets discovered (see Report: SEC Plans Breach
Reporting Guidance Refresh).

"Unfortunately, in the reality that we live in now, cyber breaches are
going to be increasingly common, and this is in part why the SEC is so
fully focused on cybersecurity," says Matt Rossi, a former assistant chief
litigation counsel to the SEC who's now an attorney specializing in
securities litigation and enforcement as well as data privacy at global law
firm Mayer Brown. "Chairman [Jay] Clayton said it's one of the greatest
risks to the financial system right now."

Indeed, in September, Clayton signaled to a Senate banking committee that
companies would be required to disclose more cybersecurity information to
investors in a timely manner (see SEC Chair Wants More Cyber Risk
Disclosure From Public Firms).

His remarks, ironically, followed the SEC having failed to publicly
disclose its own major breach for 16 months (see Hackers May Have Traded on
Stolen SEC Data).

In November, meanwhile, William Hinman, the SEC's director of corporation
finance, signaled that the regulator's cybersecurity guidance, first issued
on Oct. 13, 2011, wouldn't be overhauled but rather amended with some new
requirements, such as how breach information gets disclosed internally and
escalated to senior management (see Report: SEC Plans Breach Reporting
Guidance Refresh).

Expect Multiple Changes

With the refresh, Rossi says businesses should expect to have to disclose
more cyber risks, refine their insider trading policies and prove that
they're taking information security seriously.

"We're likely to see an increased emphasis on having public companies
disclose the cyber risks they face, focusing on their business model, the
nature of their operations and the evolving and changing nature of cyber
risks," Rossi says. "I also think there's going to be an expectation by the
commission that we're going to see more timely disclosure of data breaches
when they do occur."

No information security practices, policies or procedures are ironclad. But
Rossi says businesses will likely be called on to prove that they have
mechanisms in place to increase the likelihood that they can detect
breaches in a timely manner, escalate these concerns to senior management
and rapidly "figure out if the breach is material to investors and needs to
be disclosed in a timely basis."

Don't expect the SEC to begin immediately enforcing any new guidance.
"Typically they'll issue guidance, say what they want to see and that often
is a precursor to enforcement action when they don't see companies or firms
living up to their guidance they issued," Rossi says.

Avoid Insider Trading

There's no one-size-fits-all approach to revamping insider trading programs
to deal with suspected data breaches. But the Equifax breach and
suspiciously timed trades by some of its executives have highlighted the
need for organizations to more carefully monitor when employees are allowed
to buy or sell shares in their companies (see Equifax: Share-Selling
Executives Didn't Know About Breach).

"Given the potential severity of the events following the Equifax breach,
it is likely the SEC will emphasize that the general counsel's office or
another impartial body must examine trades that occur off an automatic plan
and that may be in the same time period of a data breach or some other
material cyber event," says Chris Pierson, CSO and general counsel for
Florida-based payment services firm Viewpost. "Instead of the SEC dictating
what must happen here, look for it to require written, audited and
board-approved programs that detail the process to review and approve major
or senior executive stock purchases and sales."

Don't Delay

Delayed breach disclosures were a recurring theme in 2017. After search
giant Yahoo failed to properly investigate a 2013 breach, it belatedly
issued waves of bad news, ultimately finding that the breach had
compromised every one of its accounts (see SEC Reportedly Probing Yahoo's
Breach Notification Speed).

Ride-sharing platform Uber has been criticized for failing to disclose a
breach for more than a year, and then its new CEO waited two months to
issue a public notification of the breach after he learned about it (see
Report: Uber Paid Florida 20-Year-Old $100,000 Over Hack).

Britain's privacy watchdog, the Information Commissioner's Office, has
indicated that Uber's cover-up of the breach - which affected U.K.
residents - would likely increase the size of any fine levied against it
(see Driving Privacy Regulators Crazy: UK Probes Uber Breach).

Under the EU's General Data Protection Regulation, which begins to get
enforced in May 2018, organizations that learn that they may have been
breached must notify authorities within 72 hours.

Notify Quickly

Exactly how that GDPR requirement will work in practice remains to be seen,
and the same would be true for any breach-notification timelines the SEC
might issue (see Data Breach Notifications: What's Optimal Timing?).

"Data breach timing is an especially sensitive and misunderstood topic,"
Pierson says. "Most news stories, regulators, and others who have not
performed data breach forensics, investigation and mitigation do not
understand the intricacies of when a breach is thought to be discovered,
known for sure, data identified and customers impacted."

The best approach for the SEC, Pierson says, would be to require businesses
to privately notify the regulator if they detect that something is amiss
and follow it up with a timely, public notification, if that proves to be
true, by issuing an 8-K disclosure. That's the form used to notify
investors in U.S. public companies of specified events that may be
important to shareholders or the SEC.

Expect Revised Rules Soon

The SEC declined to comment on when it will issue the updated guidance, but
Pierson expects to see it in the first or second quarter of 2018, once more
details about the Equifax breach come to light.

Both Pierson and Rossi expect the SEC to stick with its current approach,
requiring businesses to report cybersecurity events that could have a
"material impact" on the business that could affect its financial
performance or impact shareholders (see Verizon's Yahoo Breach Question:
What's 'Material'?).

"We're unlikely to see a change in the principles-based approach - in other
words, I think it's unlikely we'll see specific, detailed requirements,
because companies have different risks and face different requirements,"
Mayer Brown's Rossi says.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20171229/43282d78/attachment.html>