SEC Commissioner Robert J. Jackson, Jr. highlighted the increasing prevalence of cybercrime and its detrimental effect on public companies, citing over 1,000 incidents in 2016 alone that cost American companies more than $100 billion. Consistent with recent enhanced guidance on cybersecurity risks and disclosure obligations issued by the SEC, Commissioner Jackson encouraged collaboration between corporate counselors and the SEC to develop (i) proactive measures to combat cybercrime and to ensure timely and transparent disclosures following data breaches, (ii) corporate frameworks that discourage insider trading, and (iii) internal reporting structures to enable company boards and management to react.
When a security breach occurs, Commissioner Jackson emphasized the necessity of reporting it to the public quickly. In the absence of timely disclosure, he warned that companies may ultimately face prosecution, pay significant settlements, and suffer reputational harm.
To prevent insider trading, Commissioner Jackson said that senior management should be aware that trading on breach-related information before the breach has been disclosed could be fraudulent. Since the law is less clear regarding non-insiders trading on material nonpublic information, he expressed concern that hackers may be able to profit by making strategic trades after they have executed a cyberattack but before the public has learned about it. To prevent this type of misconduct, Commissioner Jackson said that timely public disclosure must be prioritized in the wake of any cyberattack.
Commissioner Jackson also stressed how vital it is for public companies across all industries to build effective internal cybersecurity controls. In addition to cyber-oriented corporate policies and procedures, Commissioner Jackson urged Congress or the SEC to take further action to address the issue of corporate insider trading in the cybersecurity context.
Commentary / Joseph V. Moreno
In the wake of the SEC's recent insider trading case against a former Equifax technology executive, companies should not be surprised if legislative or regulatory action follows that specifically addresses the issue of insider trading in the cybersecurity context. Insiders who trade on material nonpublic information known to them about a cyber breach or risk should expect severe action from the SEC and the Department of Justice. Companies who fail to enact policies, procedures, and controls to detect and prevent insider trading in the cybersecurity context also should expect scrutiny from regulators, which, at this point, have given adequate notice that this is something they expect to become part of a company's corporate compliance program.
What is less clear from Commissioner Jackson's speech is how he envisions companies and the SEC working together proactively to fight the scourge of cybersecurity attacks. Until and unless that becomes clear, companies should, at a minimum, get the message that cybersecurity risks and disclosure obligations are high on the SEC's priority list and are likely to stay that way.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
