Following the Equifax data breach and the Meltdown/Spectre scandals, the U.S. Security and Exchanges Commission (SEC) issued a warning reminding executives that trading stock during such incidents classifies as insider trading and is punishable by law. In both of those incidents the CEOs and other executives sold stock after learning about the security issues, but before the problems were publicly revealed.
The SEC issued new guidance to clarify that company executives are not allowed to trade on insider information, such as knowing that their company suffered a data breach, until the information is made public.
The commission added that these are not new rules; they've been in place for a while. However, after several Equifax and Intel stock sales during the internal investigation of their respective security issues, the SEC thought it should issue a reminder:
Directors, officers, and other corporate insiders must not trade a public company's securities while in possession of material nonpublic information, which may include knowledge regarding a significant cybersecurity incident experienced by the company.
Equifax Data Breach
Equifax experienced one of the most devastating data breaches in U.S. history, as the personal information of over 145 million Americans was exposed. Meanwhile, several executives, including the Equifax CEO at that time, Richard Smith, sold stock worth over $1.8 million after learning of the data breach and before making the information public.
However, despite the SEC issuing the new guidance and clarifying that this was illegal, it previously declined to investigate the Equifax executives for insider trading. The executives are still under criminal investigation by the Justice Department.
Although Intel said that its CEO’s stock sale was “planned” for last fall, it turned out that Krzanich planned the sale only after learning about the Meltdown and Spectre vulnerabilities from Google. Again, this should not be allowed, according to the SEC’s new guidance, but for now it’s not clear if the agency is pursuing an investigation against Krzanich.
Either way, other companies were put on notice if they allow their executives to sell stock during internal security incident investigations, but how well the companies respect this new guidance may depend on how willing the SEC is to enforce its own rules when companies break them.
The rest of the public will see that this isn't really the Corporate States of America, where those with the money can do whatever they want...
That dog has been off the porch for a long time for those four companies.
What disturb me is the part: In what way can the companies (dis)allow this?
If any company learn about insider trading by an executive the proper action is of course to first notice the authorities and Trade Comission. (Failing to do so should also be criminal!)
Then the company can decide wether or not to take any further actions against the criminal person(s).
Finally, the next question to address is when are companies going to be fined for concealing and delaying notifying the public about a security breach? We've seen it from Yahoo, Sony's Playstation Network, Target, and several others who have delayed notifying the public. The corporations themselves need to be fined as well for not timely notifying the public and trying to internally rectify the situation before it goes public. But more often than not by the time they take action, the damage has spread and gotten out of control. In Sony's defense they fined themselves in essence by giving us PS3 owners a month free of PSN Plus membership and two free AAA title games to download (this was during the PS3 days prior to the PS4 and when you didn't need to purchase a PS+ subscription to game online).
Many companies are now very busy trying to implement the legal requirements to fulfil the new law.