US controller cautions businesses over cyberattack delays

February 23, 2018

 

The key US financial controller has beefed up its rules for businesses confronted with cyberattacks.

It contains a warning to company insiders concerning trading in shares before the information becomes open.

The Securities and Exchange Commission stated companies must provide “timely” revelation of “material” regarding cyber dangers and occurrences.

However, journalists say the move, which comes after some companies delayed revealing hack attacks, doesn’t go far enough.

SEC chair Jay Clayton, who was employed by US President Donald Trump, said the director, must “encourage clearer and more robust revelation” to shareholders.

The update says businesses must adopt clear policies linked to cyber dangers. It also says continuing inquiry doesn’t on its own provide a basis for delaying revelation.

Two commissioners hired by ex-President Barack Obama, said they had expected for more progress on the matter. Commissioner Kara M Stein called it a “rebrand” of laws the SEC published in 2011.

“There is so much more we can and must do,” said Ms. Stein.

In the United Kingdom, under laws that go into effect in May, businesses are required to report specific kinds of data breaches to authorities within 72 hours.

Companies must also inform people affected if the breach leads to things such as loss of control over private data.

The US doesn’t have such laws at the national level.

The SEC’s move follows substantial breaches at numerous companies, including Equifax.

Members of US Congress have asked the firms over their decisions. The occurrences have also led some members to call for earlier revelation and threaten harsher regulation.

Share sales by managers are among the problems that have drawn inquiry.

At Equifax, four managers sold stock in the days after the company discovered the breach.

Equifax has said its inquiry of the trades found the managers were not conscious of the attack and acted correctly.

A stock sale by Intel chief executive Brian Krzanich after the chip safety fault was revealed also raised questions. The company said the sale was tied to a pre-arranged plan.