The US Securities and Exchange Commission (SEC) released a statement yesterday, warning high-ranking executives not to trade stocks before the disclosing breaches, major vulnerabilities, and other cybersecurity related incidents.
The SEC says the new guidance —available as a PDF, here— is not a new rule for companies, but a clarification on what classifies as insiders information.
The SEC clarifies that information on security flaws and incidents is to be considered as insiders information and should not be used in making decisions to buy or sell securities (stock).
The SEC encourages companies to set up policies and procedures to prevent execs with knowledge of cybersecurity incidents from selling stock. Such policies usually take the form of contract clauses.
"Directors, officers, and other corporate insiders must not trade a public company's securities while in possession of material nonpublic information, which may include knowledge regarding a significant cybersecurity incident experienced by the company," the SEC guidance reads.
"There is no doubt that the cybersecurity landscape and the risks associated with it continue to evolve," said SEC Chairman Jay Clayton. "I have asked the Division of Corporation Finance to continue to carefully monitor cybersecurity disclosures as part of their selective filing reviews. We will continue to evaluate developments in this area and consider feedback about whether any further guidance or rules are needed."
This SEC official warning comes after two highly-mediatized cases where high-ranking execs sold large quantities of stock before their companies announced a major security incident.
The first incident is related to the Equifax breach when it was discovered that four executives sold stock worth over $1.8 million days after the company discovered a major breach, and months before Equifax publicly acknowledged the incident.
Equifax later cleared the executives, but the Department of Justice opened an official investigation into the stock sale, an investigation that is still ongoing.
The second incident relates to the recently disclosed Meltdown and Spectre vulnerabilities. According to reports, Brian Krzanich, Intel CEO, sold all the stock he was legally allowed to sell —worth around $39 million— right after learning about devastating security flaws that affected almost all of the company's processors released since 1995.
Intel said it was a planned sale, but the sale appears to have been planned after learning of the bugs. There's is currently no official investigation into Krzanich's stock sale.