By Robert Hackett
February 24, 2018

Good afternoon, Cyber Saturday readers.

The U.S. Securities and Exchange Commission on Wednesday issued new guidance imploring companies to be more transparent in handling cybersecurity risk and data breach disclosures. The injunction which, it must be noted, lacks teeth, is awfully similar to recommendations the commission made when it last issued guidance on the matter in 2011. Three aspects of the new directive are worth reviewing, nonetheless.

First, the SEC exhorted companies to report vulnerabilities and hacking incidents “in a timely fashion.” Equifax caught heat five months ago for revealing a massive theft of people’s Social Security numbers six weeks after it learned of the heist. In November, Uber came under fire for withholding details—essentially covering up—a year-old security breach affecting millions of customers. It’s hard not to see the SEC’s re-upped guidance in light of these failures. Don’t dilly dally when it comes to disclosure, people.

Second, the SEC enjoined corporate insiders not to sell shares of a company when holding privileged knowledge about cyberattacks and breaches that could affect stock price. Equifax once again fits the bill: A big stock selloff by its executives before the disclosure of its staggering robbery spurred multiple insider trading investigations. Intel CEO Brian Krzanich got hit with backlash, too, for selling a large block of shares after learning of the Meltdown and Specter computer chip vulnerabilities, but before disclosing them to the public. Be smart.

Third, the SEC called on businesses not to use law enforcement investigations as an excuse for keeping quiet about breaches. Companies should be sure not to reveal anything that might damage an investigation—but the existence of an investigation alone is no reason to keep investors in the dark. Lots of companies resort to this trick. Find a better excuse.

The SEC’s revised guidance will rely on the good will of companies to follow it. Corporate America would do well to heed the prescriptions, lest it wishes the heavy hand of regulation to lay the smackdown on it. (Just look across the pond at GDPR.) For anyone who thinks these mandates are obvious, tell that to the execs at Equifax, Intel, and Uber.

Signs of stronger SEC actions to come already loom. Though all five SEC commissioners approved of the new guidance, some did so “reluctantly.” Two Democrats, Kara Stein and Robert L. Jackson, indicated that they want harsher penalties in place for companies in breach of these guidelines. Be assured, if the private sector doesn’t clean up its act, it’ll be forced to comply in the future.

Have a great weekend.

Robert Hackett


Welcome to the Cyber Saturday edition of Data Sheet, Fortune’s daily tech newsletter. Fortune reporter Robert Hackett here. You may reach Robert Hackett via Twitter, Cryptocat, Jabber (see OTR fingerprint on my, PGP encrypted email (see public key on my, Wickr, Signal, or however you (securely) prefer. Feedback welcome.


You May Like