SEC Releases Updated Cybersecurity Guidance
The regulator added new guidance around cybersecurity disclosure controls and insider trading.
Largely upholding many of the prescriptions in its first cybersecurity guidance in 2011, the SEC said the new guidance on cybersecurity risks and incidents expands on the importance of cybersecurity policies and insider trading prohibitions that were not fully developed in the previous guidance.
“In light of the increasing significance of cybersecurity incidents, the commission believes it is necessary to provide further commission guidance,” the SEC said in the guidance released on February 21. “While the Commission continues to consider other means of promoting appropriate disclosure of cyber incidents, we are reinforcing and expanding upon the staff’s 2011 guidance. In addition, we address two topics not developed in the staff’s 2011 guidance, namely the importance of cybersecurity policies and procedures and the application of insider trading prohibitions in the cybersecurity context.”
Cybersecurity has been a concern for the financial industry especially after several large cybersecurity intrusions occurred in the past few years. One of those targeted the SEC, which announced late last year that its Edgar database was hacked in 2016, setting in motion a series of Congressional grillings for chairman Jay Clayton.
The SEC said its guidance is not meant to ask firms to make disclosures about cybersecurity events that would compromise their efforts, like technical information on cybersecurity systems and potential vulnerabilities. Any potential rulemaking depends on how the guidance is received by the industry.
Under the guidance, companies are encouraged to enact cybersecurity risk management policies and regularly assess compliance “including the sufficiency of their disclosure controls and procedures as they relate to cybersecurity disclosure.” The regulator said disclosure policies should not be limited to cybersecurity events, but include timely collection and evaluation of information.
The SEC already requires disclosures around risk and the guidance, it said, and reminded firms that large cybersecurity events must be reported, so escalated analysis is encouraged to determine the impact of the incursion on a higher corporate level. The SEC said it understands companies may see multiple cybersecurity events every day but encouraged them to elevate cybersecurity analysis so it can be reported in a timely manner.
New to the cybersecurity guidance is a section on insider trading based on knowledge of cyber threat incidents that are not made public, especially now that cybersecurity incidents have become a material event that can affect stock prices.
“We encourage companies to consider how their codes and insider trading policies take into account and prevent trading on the basis of material nonpublic information related to cybersecurity risks and incidents. The Commission believes that it is important to have well-designed policies and procedures to prevent trading on the basis of all types of material non-public information, including information relating to cybersecurity risks and incidents.”
Despite the release of the guidance, SEC commissioners Kara Stein and Robert J Jackson Jr. noted the Commission still has to do more in light of increasing cybersecurity threats and the continued dearth of what Stein called “elusive meaningful disclosures” around cybersecurity events.
“While it may have the potential of providing both companies and investors with incremental benefit, the guidance does not sufficiently advance the ball—even in the context of disclosure guidance,” Stein said in a statement. “Even more, it may provide investors a false sense of comfort that we, at the Commission, have done something more than we have.”
Only users who have a paid subscription or are part of a corporate subscription are able to print or copy content.
To access these options, along with all other subscription benefits, please contact info@waterstechnology.com or view our subscription options here: http://subscriptions.waterstechnology.com/subscribe
You are currently unable to print this content. Please contact info@waterstechnology.com to find out more.
You are currently unable to copy this content. Please contact info@waterstechnology.com to find out more.
Copyright Infopro Digital Limited. All rights reserved.
As outlined in our terms and conditions, https://www.infopro-digital.com/terms-and-conditions/subscriptions/ (point 2.4), printing is limited to a single copy.
If you would like to purchase additional rights please email info@waterstechnology.com
Copyright Infopro Digital Limited. All rights reserved.
You may share this content using our article tools. As outlined in our terms and conditions, https://www.infopro-digital.com/terms-and-conditions/subscriptions/ (clause 2.4), an Authorised User may only make one copy of the materials for their own personal use. You must also comply with the restrictions in clause 2.5.
If you would like to purchase additional rights please email info@waterstechnology.com
More on Emerging Technologies
The IMD Wrap: With Bloomberg’s headset app, you’ll never look at data the same way again
Max recently wrote about new developments being added to Bloomberg Pro for Vision. Today he gives a more personal perspective on the new technology.
LSEG unveils Workspace Teams, other products of Microsoft deal
The exchange revealed new developments in the ongoing Workspace/Teams collaboration as it works with Big Tech to improve trader workflows.
IBM report finds ‘shadow’ data significant contributor to data breaches
As AI and cloud take on greater importance in the capital markets, firms need to consider their threat impact zones.
Bloomberg adds AI earnings summaries to Apple Vision Pro app
The vendor continues to add content and functionality to its Bloomberg Pro for Vision app, which sits at the convergence of spatial and mobile computing.
SS&C continues Blue Prism rollout, eyes other acquisition targets
The company is focusing on organic growth while keeping its eye on potential acquisitions.
CME: CFTC OKs clearing move to Google Cloud
The CFTC has given the Chicago-based exchange approval to run its clearing and settlement infrastructure on the Google Cloud Platform, while the exchange and vendor have extended their partnership to last until at least 2037.
Once a blockchain cheerleader, Axoni changes its playbook
The fintech, whose origins can be traced back to the genesis of capital markets’ complicated flirtation with DLT, has largely ditched the tech as the foundation of its data synchronization offering, opting for more familiar territory.
The IMD Wrap: Quality drivers—the sticks and carrots accelerating the data quality race
Like a Formula One Grand Prix, data management is a race that can be won or lost. And just as each race is part of a larger F1 championship that pays large sums of TV money to the winning team, winning or losing one race can contribute to winning or losing an endgame with much more at stake.