In 2018, the SEC released guidance urging public companies to guard against insider trading premised on undisclosed cybersecurity breaches and to ensure there are clear internal procedures in place to determine when a hack might be “material” to investors. According to the SEC, public companies should have policies and procedures in place that:
- guard against directors, officers, and other corporate insiders taking advantage of the period between the company’s discovery of a cybersecurity incident and public disclosure of the incident to trade on material, non-public information (MNPI) about the incident; and
- help ensure that the company makes timely disclosure of any related MNPI.
The SEC also takes the position that companies are well served by considering the ramifications of such insider trading in advance of disclosures regarding cyber incidents that prove to be material.1
According to the FCA:
Firms of all sizes need to develop a “security culture,” from the board down to every employee. Firms should be able to identify and prioritize their information assets – hardware, software and people. They should protect these assets, detect breaches, respond to and recover from incidents, and constantly evolve to meet new threats.2
In relation to cyber resilience and insider dealing, the FCA has found firms’ approaches to be generally lacking. It states that “we have seen only limited evidence of firms proactively seeking to ‘connect the dots’ between cyber and other conduct issues (i.e., insider dealing) which may be enabled through cyber channels.”3
The FCA emphasizes the importance of fostering a “security culture” that runs through all aspects of an organization and of taking steps to increase staff awareness on cyber issues.
Disclosure may be delayed if all of the following conditions are met:
- immediate disclosure is likely to prejudice the legitimate interests of the issuer;
- delay of disclosure is not likely to mislead the public; and
- the issuer is able to ensure the confidentiality of that information.
An issuer who has delayed the disclosure of inside information will need to inform the FCA of this fact and must be prepared to provide a written explanation of how the conditions for delay were satisfied.
Implementing Regulation (EU) 2016/1055 as retained in UK law on public disclosure of inside information and for delaying the public disclosure of inside information, available here, should be reviewed for further information on this topic.
1 Commission Statement and Guidance on Public Company Cybersecurity Disclosures, 83 Fed. Reg. 8166, 8167 (Feb. 26, 2018).