Jarrett Kolthoff | December 9th, 2018

Business Journal Ask the Expert Column

The Securities and Exchange Commission recently released its 2018 Guidance on Public Company Cybersecurity Disclosures, which targets two new areas of concern: Cybersecurity policies and procedures, and insider trading prohibitions, specifically those revolving around cyber breach notifications to the public. The role of accounting and the CFO will be critical in assuring guidelines are met and that public companies stay compliant.

The last major SEC guidance on cybersecurity was 7 years ago. What has changed and is there a new focus?

The SEC seems focused on greater accountability and more proactive procedures and processes. The laser focus will be on the C-Suite, the Board of Directors and the Audit Committee. This new guidance narrows its emphasis on the establishment of comprehensive policies and procedures, as well as a management directive for proactive evaluations of these policies and procedures. Per the SEC, in the event of a breach there must be an established protocol for the disclosure of relevant information to internal stakeholders, investors, analysts, and the public at large. The goal is to bring together a team of internal and external experts to analyze and evaluate the right information the right way, then communicate it effectively across all channels.

What kind of cybersecurity policies and procedures should we consider in order to comply with SEC guidelines?

Cybersecurity must now be a critical part of your company’s overall risk management program, not an afterthought or a standalone. The threat level is simply too great in today’s business environment. You can’t be complacent. Not only do new regulations call for direct policies and procedures, they call for comprehensive processes, controls, and continuous evaluation, to help management not only identify risks but appropriately mitigate them. Engaging third-party resources, such as SpearTip, in table top exercises, real-time “war games,” and cybersecurity monitoring services should be part of your plan to meet SEC expectations.

What’s all the talk of insider trading with the new SEC stance?

Because stock prices can tumble massively following a breach, there’s a spotlight on insiders to keep them from acting on their own behalf before a public disclosure. The SEC is pushing for rigid enforcement of a stricter set of rules concerning use of material non-public information. It’s critical for company management to implement additional policies, procedures, checks, balances, processes, and controls to stop company executives and insiders from exploiting confidential inside information with regard to cybersecurity, and trade on securities using this information before the public is aware of the situation.

Is there a specific emphasis concerning insider trading that we should address immediately?

Yes. Without question. The new directive clearly points not only toward accountability, but enforcement. Should management become aware of material cybersecurity risks, breaches or other incidents that have taken place within the organization, responsibility is now placed squarely upon their shoulders. Directors, C-suite executives and the executive management team must thoroughly evaluate the effectiveness and viability of your company’s code of conduct, code of ethics, cyber defensive posture, and insider trading policies to prevent and deter trading based upon sensitive, non-public information to which only your highest ranking officials will have access.

What’s the most important takeaway we can glean from this SEC action?

From our interpretation at SpearTip, the SEC wants assurances that management has a full and complete understanding of your company’s cybersecurity framework, the procedures and controls you’ve put in place, and your ongoing testing and evaluation as to how effective your controls truly are. We highly recommend engaging a third party cybersecurity firm to assist in the process; one who would participate as an unbiased, impartial, neutral party, who can advise, assist and inform management and add an arm’s length level of security, which will demonstrate your commitment to cyber risk management and