The move is meant to encourage publically-traded companies—like some healthcare services companies that were recently hit—to be more transparent about breaches and vulnerabilities.
The Securities and Exchange Commission (SEC) voted unanimously this week to introduce new guidance for companies that suffer cyberattacks. The move updates the original guidance on cyberattack disclosure, drafted in 2011, and encourages transparent disclosure of attacks and risks to publicly-traded companies while discouraging insider trading.
The Commission stressed the necessity of a new guidance given what has transpired since the first. The complexity and frequency of cyberattacks have rapidly ramped up in the past 7 years, and numerous publically-traded companies have felt the effects firsthand—including many in healthcare.
The new guidance asks that companies “take all required actions to inform investors about material cybersecurity risks and incidents in a timely fashion,” and companies “that are subject to material cybersecurity risks” should divulge those risks even if they have not yet fallen victim to a cyberattack, according to the guidance.
It also forbids executives in publicly-traded companies from make stock acquisitions in the immediate aftermath of a breach. That provision seems to be in response to the massive Equifax breach that occurred over the summer. In that case, 2 prominent staffers sold off shares after discovery but before public disclosure.
The guidance does not outline specific timeframes for disclosure, nor does it provide exact requirements for what information should be reported. It also acknowledges the potential sensitivity of information that companies should disclose: “We do not expect companies to publicly disclose specific, technical information about their cybersecurity systems…in such detail as would make such systems, networks, and devices more susceptible to a cybersecurity incident,” it states.
SEC Commissioner Kara Stein believes that the move does not go far enough. Yesterday, she released a statement saying she was “disappointed with the Commission’s limited action,” and suggested several ways it could be built upon. An examination of how cyber threats have evolved since 2011 and an emphasis on the value of disclosure, she wrote, would have helped to differentiate the new guidance from existing measures.
Stein also believes that the SEC failed to seek notice and comment on risk management frameworks or minimum standards for the protection of personally identifiable information.
In 2017 and the first quarter of 2018, cyber threats have rattled both healthcare providers and the companies that provide them services. Just last month, electronic health records provider Allscripts battled a ransomware attack that prevented many of its clients from using important software for nearly a week, causing cancelled appointments and widespread headaches for small clinical practices. There was also a massive, paralyzing wiper attack—masked as ransomware—in the summer of 2017 that hit pharmaceutical maker Merck and healthcare services company Nuance Communications, among others.