Consider the Securities and Exchange Commission’s latest advice on how Corporate America should handle cyberattacks a warning shot.
The lengthy but vague guidelines, which follow headline-making hacks of publicly-traded companies from Equifax to Yahoo and Target, remind directors and executives they must not only inform investors after major cyberattacks have occurred but also alert them to the risks that exist beforehand. Insiders, the agency says, shouldn’t trade a company’s stock when required disclosures haven’t been made.
What the SEC guidance doesn’t do, however, “is give any prescriptive requirements or hard-and-fast suggestions,” Stacy Scott, a managing director with the cybersecurity and investigations practice at Manhattan-based business consultant Kroll, told the Washington Examiner. “It moves the bar a little, but not a whole lot.”
Touching on several of the issues highlighted with the theft of personal identification data for more than 140 million Americans from credit-reporting firm Equifax in 2017, the agency statement also incorporates guidance issued by its Division of Corporation Finance seven years ago, giving it the imprimatur of the commission itself.
At least two of the agency’s five commissioners, one appointed by former President Barack Obama in 2013 and another by President Trump this year, argue that the agency needs to go further, a prospect it didn’t rule out.
“There is so much more we can and should do,” said Commissioner Kara Stein, the Obama appointee, suggesting initial steps toward rules addressing corporate board responsibilities, safeguarding personal identification data, and making a timely disclosure to investors. “The guidance does not sufficiently advance the ball.”
Commissioner Robert Jackson, the Trump appointee, said the guidance should be merely a first step, and Chairman Jay Clayton noted that the agency will consider feedback about whether more guidance or rules are needed.
Such rules might have been useful for Equifax, which faced a firestorm of criticism after admitting that it discovered the hack in July and didn’t disclose it until early September. Revelations that four corporate executives who sold stock after the breach was discovered but before it was announced inflamed investors even further, though a probe by Equifax’s board determined none of the sellers knew what had happened.
The Atlanta-based firm lost more than 30 percent of its market value afterward, and then-CEO Richard Smith stepped down, though he still represented the company in grueling congressional hearings.
Equifax shares have yet to regain their September high of $142, ending February at $113, though Smith’s temporary successor, Paulino Barros, has said the firm is making progress on improving its security and responding to numerous queries from lawmakers and regulators about what happened.
Among the steps he has taken are creating a chief transformation officer to oversee Equifax’s response and changing the company’s organizational chart so that the chief security officer reports directly to the CEO.
With the risk of attacks like the one on Equifax and the penetration of 3 billion accounts at search engine Yahoo in 2013, the extent of which wasn’t disclosed until four years later, constantly evolving, it’s important for corporate boards to make sure they’re providing effective oversight in order to fulfill their obligations to shareholders, said Kroll’s Scott.
Yahoo’s hack also cost investors significantly when it prompted telecommunications giant Verizon to cut its bid for the company by $350 million, ultimately paying only $4.5 billion for an acquisition completed in mid-2017.
“We’re seeing boards of directors being sued,” Scott noted. “Civil cases are coming up that are saying, ‘You are negligent in your due diligence, your fiduciary responsibility, because this is a huge cost after the breach.”
At the same time, directors involved in cybersecurity at some firms are still asking whether their company is at risk.
“The answer to that is, ‘Yes,’” Scott said. What they should be focused on instead is making sure they understand the extent of their firm’s risk and its capability of detecting and responding to attacks.
Directors also need an ongoing conversation with company executives about how to determine whether a data breach is significant enough that it should be reported to regulators and investors – and how to explain their decision in the aftermath of one, Scott said.
That’s an area where the SEC’s latest pronouncement provided little direction, which is among the reasons it’s unlikely “to create a sense of urgency on a bunch of boards,” Scott said.
