New cyber security guidance issued by the U.S. Securities and
Exchange Commission warns publicly held companies’ boards of
directors to be alert to insider trading and the need to implement
cyber security procedures and protocols.
But some observers — including two Democratic SEC
commissioners — feel it adds little to the SEC’s 2011 guidance on
this issue.
Experts say the latest guidance stresses in particular warnings
against insider trading; the need for directors to stay on top of the
issue of cyber security by introducing policies and procedures;
and the requirement that firms disclose “material” issues related
to cyber security.
The 24-page guidance “reinforces and expands the SEC’s 2011
guidance,” said SEC Chairman Jay Clayton in a Feb. 21 statement
accompanying the new guidance.
Although the commission unanimously approved the guidance,
two commissioners said it did not go far enough.
Commissioner Kara M. Stein said in a statement released the
same date: “Unfortunately, despite the staff’s best effort to
develop guidance that elicits robust disclosure to investors,
meaningful disclosure has remained elusive.” She said she is
“disappointed with the Commission’s limited action.”
Commissioner Robert J. Jackson Jr. said in a separate statement:
“The guidance reiterates years-old staff-level views on the issue.
But economists of all stripes agree that much more needs to be
done.”
He quoted the Council of Economic Advisers as stating regulators
can devise a “scheme of penalties and incentives” that will help
raise cyber security investment levels “to the socially optimal
level.”
Kevin LaCroix, executive vice president of RT ProExec, a division
of R-T Specialty L.L.C., in Beachwood, Ohio, said it is noteworthy
that the two Democrat commissioners on the SEC “were critical
of the guidelines for not going far enough, so right away you’ve
got voices on the commission that feel the commission should
be doing even more to encourage companies to be more
forthcoming with their disclosures.”
He said probably the most significant thing about the guidance is
that the SEC “felt obligated to issue it,” said Mr. Lacroix. “They
clearly wanted to send a message to reporting companies they
needed to be forthcoming about disclosure of cyber security
events.”
“I think that it was much ado about nothing, frankly,” LaDawn
Naegle, managing partner with Bryan Cave L.L.P. in Washington,
said of the guidance.
“I agree with many who have observed that it’s really just a
reminder by the Commission of the prior guidance that had been
issued by the staff with respect to a company looking at cyber
security risk and cyber security incidents” and conducting an
analysis of what is material and how best to disclose it, Ms.
Naegle.
David M. Furbush, a partner with Pillsbury Winthrop Shaw
Pittman L.L.P. in Palo Alto, California, said: “The most meaningful
takeaway for me is their emphasis on certain issues,” which
suggests these may become enforcement priorities.
There are “repeated mentions in the guidance of policies and
procedures that will prevent insiders from trading in the
company’s stock during the period of time when they know
there’s a cyber security incident that’s not then publicly
discussed,” he said.
Mr. Furbush said he suspects the SEC will be “very diligent” in
enforcing insider trader rules when this occurs.
Executives of Atlanta-based Equifax Inc. had sold company stock
before its data breach was publicly announced. The company
later said in a statement that none of the executives had been
aware of the breach when their trades were made.
There was also a lot of emphasis on the extent of cyber security
oversight, Mr. Furbush said. He said he believes if it appears a
company had inadequate policies and procedures, the SEC will
examine whether this was because of the board’s failure to
oversee the issue.
Brian H. Lam, an associate with Mintz, Levin, Cohn, Glovsky &
Popeo P.C. in San Diego, said the guidance “shows that the SEC is
serious about this.” But “what will really spur people to take this
seriously” is how the SEC pursues the issue, Mr. Lam said.
Mark L. Krotoski, a partner with Morgan, Lewis & Bockius L.L.P. in
Palo Alto, said the guidance “does provide a level of flexibility. In
contrast to other cyber security regulations, which are mandated,
specific requirements, this one does afford some measure of
assessment of the facts.”
“I don’t know how they would go further, shy of promulgating
express and mandatory disclosure requirements,” said Rachel K.
Paulose, a partner with DLA Piper L.L.P. in Minneapolis, who is a
former SEC senior trial counsel.
At the highest level, boards “should go through the experience of
educating themselves about the company’s defenses against
cyber security attacks and the company’s plans and procedures
for dealing with when that happens,” said Mr. Furbush.
Companies should re-form their policies “to explicitly prohibit
insider trading around cyber incidents,” said Ms. Paulose.New cyber security guidance issued by the U.S. Securities and
Exchange Commission warns publicly held companies’ boards of
directors to be alert to insider trading and the need to implement
cyber security procedures and protocols.
But some observers — including two Democratic SEC
commissioners — feel it adds little to the SEC’s 2011 guidance on
this issue.
Experts say the latest guidance stresses in particular warnings
against insider trading; the need for directors to stay on top of the
issue of cyber security by introducing policies and procedures;
and the requirement that firms disclose “material” issues related
to cyber security.
The 24-page guidance “reinforces and expands the SEC’s 2011
guidance,” said SEC Chairman Jay Clayton in a Feb. 21 statement
accompanying the new guidance.
Although the commission unanimously approved the guidance,
two commissioners said it did not go far enough.
Commissioner Kara M. Stein said in a statement released the
same date: “Unfortunately, despite the staff’s best effort to
develop guidance that elicits robust disclosure to investors,
meaningful disclosure has remained elusive.” She said she is
“disappointed with the Commission’s limited action.”
Commissioner Robert J. Jackson Jr. said in a separate statement:
“The guidance reiterates years-old staff-level views on the issue.
But economists of all stripes agree that much more needs to be
done.”
He quoted the Council of Economic Advisers as stating regulators
can devise a “scheme of penalties and incentives” that will help
raise cyber security investment levels “to the socially optimal
level.”
Kevin LaCroix, executive vice president of RT ProExec, a division
of R-T Specialty L.L.C., in Beachwood, Ohio, said it is noteworthy
that the two Democrat commissioners on the SEC “were critical
of the guidelines for not going far enough, so right away you’ve
got voices on the commission that feel the commission should
be doing even more to encourage companies to be more
forthcoming with their disclosures.”
He said probably the most significant thing about the guidance is
that the SEC “felt obligated to issue it,” said Mr. Lacroix. “They
clearly wanted to send a message to reporting companies they
needed to be forthcoming about disclosure of cyber security
events.”
“I think that it was much ado about nothing, frankly,” LaDawn
Naegle, managing partner with Bryan Cave L.L.P. in Washington,
said of the guidance.
“I agree with many who have observed that it’s really just a
reminder by the Commission of the prior guidance that had been
issued by the staff with respect to a company looking at cyber
security risk and cyber security incidents” and conducting an
analysis of what is material and how best to disclose it, Ms.
Naegle.
David M. Furbush, a partner with Pillsbury Winthrop Shaw
Pittman L.L.P. in Palo Alto, California, said: “The most meaningful
takeaway for me is their emphasis on certain issues,” which
suggests these may become enforcement priorities.
There are “repeated mentions in the guidance of policies and
procedures that will prevent insiders from trading in the
company’s stock during the period of time when they know
there’s a cyber security incident that’s not then publicly
discussed,” he said.
Mr. Furbush said he suspects the SEC will be “very diligent” in
enforcing insider trader rules when this occurs.
Executives of Atlanta-based Equifax Inc. had sold company stock
before its data breach was publicly announced. The company
later said in a statement that none of the executives had been
aware of the breach when their trades were made.
There was also a lot of emphasis on the extent of cyber security
oversight, Mr. Furbush said. He said he believes if it appears a
company had inadequate policies and procedures, the SEC will
examine whether this was because of the board’s failure to
oversee the issue.
Brian H. Lam, an associate with Mintz, Levin, Cohn, Glovsky &
Popeo P.C. in San Diego, said the guidance “shows that the SEC is
serious about this.” But “what will really spur people to take this
seriously” is how the SEC pursues the issue, Mr. Lam said.
Mark L. Krotoski, a partner with Morgan, Lewis & Bockius L.L.P. in
Palo Alto, said the guidance “does provide a level of flexibility. In
contrast to other cyber security regulations, which are mandated,
specific requirements, this one does afford some measure of
assessment of the facts.”
“I don’t know how they would go further, shy of promulgating
express and mandatory disclosure requirements,” said Rachel K.
Paulose, a partner with DLA Piper L.L.P. in Minneapolis, who is a
former SEC senior trial counsel.
At the highest level, boards “should go through the experience of
educating themselves about the company’s defenses against
cyber security attacks and the company’s plans and procedures
for dealing with when that happens,” said Mr. Furbush.
Companies should re-form their policies “to explicitly prohibit
insider trading around cyber incidents,” said Ms. Paulose.
No comments:
Post a Comment