The Securities and Exchange Commissioner says that corporations need to do more to protect investors from the financial damages of data beaches.
Speaking at Tulane University’s Corporate Tulane Law School on Thursday, a leader of the SEC plainly stated that American companies are “under attack” from hackers.
“The cyberthreat is not primarily a regulatory issue any more than it is primarily a technological issue. Cybercrime is an enterprise-level risk that will require an interdisciplinary approach, significant investments of time and talent by senior leadership and board-level attention,” SEC Commissioner Robert Jackson said.
The SEC issued updated guidance last month for how companies should approach the issue of breach disclosure. Jackson said that he only reluctantly joined the guidance because it leaves too much discretion to corporate counsel to decide whether investors should be informed of an incident.
“I worry that these judgments have, too often, erred on the side of nondisclosure, leaving investors in the dark—and putting companies at risk,” Jackson said.
Despite that worry, Jackson said that cybersecurity is still an issue best dealt within the boardroom.
“The cyber threat is a corporate governance issue,” he said. “The companies that handle it best will have relevant expertise in the boardroom and the C-suite, a strategy for engagement with investors and the public, and—most of all—sound advice from corporate counsel who can navigate uncertain times and uncertain law in a critical area for the company’s business.”
Even if a company doesn’t inform investors, a knowledge of a breach can still make its way to the public, Jackson said, which wears down investor confidence. He added that some companies are spending too much time on damage control and not enough time developing preventative plans.
“Besides public approbation and litigation … the board and management are forced to spend time scrambling rather than pursuing a viable long-term strategy for cyber defense. In the meantime, a few sophisticated and speedy traders may benefit from informed trading, while average American investors suffer,” Jackson said.
Jackson also commented on the threat of insider trading when it comes to data breaches. On Wednesday, the SEC and the Department of Justice charged former Equifax executive Jun Ying with allegedly using privileged knowledge of the company’s massive breach to sell stock and avoid losses.
“There’s no doubt that investors’ confidence is shaken whenever they learn that a company’s cyber defenses have been hacked. But when it’s revealed that the insiders entrusted to protect investors used those events as an opportunity to profit personally, investors rightly question the basic trust that forms the core of our markets,” he said.
As Equifax was investigating its breach before going public, the company kept the name of the victim (itself) secret from most if its own employees, Forbes reported. Experts said that is a standard practice, but Equifax apparently did not inform some employees investigating the breach that there was a trading blackout. Ying allegedly figured out on his own that Equifax was the victim and traded his shares before the company publicly announced the breach.