- Reuters/Albert Gea
- The Securities and Exchange Commission issued new guidelines on Wednesday for public companies regarding their duties concerning the disclosure of security breaches and vulnerabilities.
- The guidelines come amid scrutiny of a massive stock sale Intel CEO Brian Krzanich made last fall after his company found out about – but before it publicly disclosed – the Meltdown and Spectre attacks.
- The agency advised companies to disclose such incidents to investors in a “timely” manner.
- It also warned executives and directors not to trade in their companies shares in the time in between finding out about a “material” security problem and disclosing it to the public.
Intel CEO Brian Krzanich sold millions of dollars worth of company stock after his company became aware of the Spectre and Meltdown security vulnerabilities, but before they became public.
The Securities and Exchange Commission has a bit of advice for other executives thinking of doing something similar: Don’t.
In new guidelines issued on Wednesday, the agency warned that security breaches and vulnerabilities could constitute “material” information, noting that it’s illegal under US securities laws for insiders to trade stocks based on such information before it becomes public. Such sales may also violate companies’ ethics and insider trading policies.
“Directors, officers, and other corporate insiders must not trade a public company’s securities while in possession of material nonpublic information, which may include knowledge regarding a significant cybersecurity incident experienced by the company,” the SEC said in the guidelines.
It continued: “Companies should have policies and procedures in place to […] guard against directors, officers, and other corporate insiders taking advantage of the period between the company’s discovery of a cybersecurity incident and public disclosure of the incident to trade on material nonpublic information.”
Additionally, the SEC encouraged companies to disclose security breaches and vulnerabilities to investors in a “timely fashion.”
The new guidelines follow disclosures of the Meltdown and Spectre attacks
The guidelines come less than two months after Intel and other tech companies disclosed the Spectre and Meltdown vulnerabilities. Those vulnerabilities, which take advantage of a feature found in nearly all computer processors, could be used in cyberattacks that would allow malicious actors to steal private data stored on computers, such as passwords.
The exploits were of particular concern to Intel. The vulnerability they take advantage of has been present in nearly all Intel chips for the last 20 years. And while just about all processors found in smartphones, tablets, and PCs are vulnerable to the Spectre attack, few chips other than Intel’s are at risk of the Meltdown attack.
Intel was notified of the attacks in June, but waited some seven months to disclose them. In between the company becoming aware of the processor security problems, and their public disclosure, Krzanich gained $24 million by selling all of the shares and options he was allowed to sell under his contract.
The company has said his stock sale was unrelated to the Meltdown and Spectre vulnerabilities, noting that it was done as part of a planned stock sale. But Krzanich put that plan in place just the month before – some five months after Intel became aware of the Meltdown and Spectre vulnerabilities.
Intel is facing some 35 lawsuits related to Spectre and Meltdown
Intel’s handling of the disclosure of the exploits is now the subject of some 35 lawsuits, including a pair of shareholder derivative suits specifically related to Krzanich’s stock sale.
Similar questions were raised about stock sales by Equifax executives made last year, in between the company becoming aware of a massive security breach and it disclosing that breach to the public.
It’s unclear whether the SEC’s new guidelines were prompted by either the Equifax or Intel security issues. The Justice Department is reportedly investigating the stock sales at Equifax. It’s unclear whether the department or the SEC is investigating Krzanich’s sale.
The guidelines don’t represent new rules. Instead, they’re essentially a clarification of existing ones. As such, the fact that the agency didn’t issue them until Wednesday wouldn’t bar it from investigating Krzanich’s sale, even though that sale predated those guidelines.
An SEC representative declined to comment on the guidelines or whether the agency is investigating Krzanich’s sale. An Intel representative did not respond to an email seeking comment.