The U.S. Securities and Exchange Commission (SEC) put public companies on warning that they need to get better about how and when they disclose not just breaches but material cyber risks to investors. The instructions were part of an updated guidance on breach disclosure from the SEC meant to protect investors and bring greater clarity to what the regulatory board expects from public companies when it comes to how they handle information security transparency.
Among the main points brought home by the SEC was that it would put particular scrutiny on trading done by insiders with any knowledge of breaches, vulnerabilities or other risks not known by the public. This hits home to a lot of cybersecurity pundits who have followed claims of insider trading by executives both at Equifax and Intel before major lapses in security at each company were made public.
In the case of Equifax, four executives–including the firm’s CFO– sold $1.8 million worth of stock in the window between when the company learned of its massive breach last summer and when it disclosed the breach to the public. The company’s board cleared the executives in an internal investigation that they say found…