Less than two months after Intel and other technology companies disclosed the Spectre and Meltdown speculative execution vulnerabilities, the Securities and Exchange Commission (SEC) published updated guidelines instructing public companies on how and when to disclose cybersecurity vulnerabilities and incidents that could potentially cause risk to the public. These significant security lapses have once again brought data security to the attention of the U.S. government, businesses and consumers around the world, but far too little has been done to hold companies accountable for when and how security concerns are disclosed to the shareholders and the public.
More concerning, there has been a troubling pattern recently of company executives apparently dumping shares before publicly disclosing a known cybersecurity incident. For example, the Equifax breach, which exposed the personal data of almost 145.5 million Americans, made news when three company executives were alleged to have sold shares worth a collective $2 million just days after the breach was discovered, but over a month before it was disclosed.
Within one week of the breach, the company lost nearly $4 billion in market value. That scandal reportedly has resulted in a Department of Justice investigation. Similarly, it has been reported that Intel CEO Brian Krzanich sold millions of dollars’ worth of company stock after his company became aware of the Spectre and Meltdown security vulnerabilities, but before they were publicly disclosed.
We take our roles in the fight against cybercrime seriously. We understand that investigating a data breach or other cyber security incidents properly and thoroughly can take weeks or even months. We further understand that it’s imprudent to release information about a suspected data breach without first conducting a proper investigation. But it is reckless and inappropriate for executives to delay steps to reveal and remedy cyber security incidents from shareholders and the public while they continue to trade securities — even if those trades are made on an automated plan.
Enterprises’ insufficient and dilatory responses following high-profile cyber incidents not only jeopardize corporations, but also increase public distrust and anxiety regarding the security of their personal data.
In the new guidelines issued on Feb. 21, the SEC warned that security breaches and vulnerabilities could constitute “material” information, noting that it’s illegal under U.S. securities laws for insiders to trade stocks based on such information before it becomes public. Such sales may also violate companies’ ethics and insider-trading policies.
The SEC’s action, even if it is primarily responding to the concerns of shareholders, is a positive early step towards creating accountability and transparency in the wake of headlining breaches that have become so familiar. Cyber risk affects virtually every kind of enterprise. It is not a matter of if, but when. Companies should start with the presumption that they will be attacked and have a comprehensive incident response plan in place. An incident response plan should include a consumer notification process especially when sensitive data such as Social Security numbers and financial information is corrupted. Regulation or industry standards should be put in place to protect consumers and relevant stakeholders from experiencing material damage and ensuring transparency from company officers.
Another step in the right direction are proposed laws such as the Data Security and Breach Notification Act, which would create the first federal standard for penalizing companies that do not disclose a breach. The Data Security and Breach Notification Act would require companies to notify consumers that they have had a security breach within 30 days, institute a maximum five-year prison sentence for intentionally hiding such a breach, and create financial incentives for companies or organizations utilizing technologies that make consumer information unreadable in the event of a breach. Regulation such as this would be a strong deterrent to companies acting intentionally in bad faith against consumers and shareholders.
There’s more to be done by the SEC and Congress with respect to cyber guidelines on disclosure and insider trading rules, but this move represents necessary progress on a critical issue. The guidelines issued last week are neither perfect nor a comprehensive solution, but the SEC’s latest effort represents a needed push to ensure corporate transparency and a well-regulated response to cyber incidents.
Michael Chertoff was secretary of the Department of Homeland Security from 2005 to 2009. He is executive chairman of The Chertoff Group, a security and risk-management advisory firm, and author of the forthcoming book, “Exploding Data: Reclaiming Our Cyber Security in the Digital Age.”
Bill Conner is the president and CEO of SonicWall, an internet security firm in San Jose, California., and chairman of the board of Comodo CA, an internet security firm in Clifton, New Jersey. He has more than 30 years of experience in high-tech industries, is a corporate turnaround expert, and a global leader in security, data and infrastructure.