Recommended reading

SEC Warns Against Selling Stock During Security Incidents

News
By published

Following the Equifax data breach and the Meltdown/Spectre scandals, the U.S. Security and Exchanges Commission (SEC) issued a warning reminding executives that trading stock during such incidents classifies as insider trading and is punishable by law. In both of those incidents the CEOs and other executives sold stock after learning about the security issues, but before the problems were publicly revealed.

SEC Warning

The SEC issued new guidance to clarify that company executives are not allowed to trade on insider information, such as knowing that their company suffered a data breach, until the information is made public.

The commission added that these are not new rules; they've been in place for a while. However, after several Equifax and Intel stock sales during the internal investigation of their respective security issues, the SEC thought it should issue a reminder:

Directors, officers, and other corporate insiders must not trade a public company's securities while in possession of material nonpublic information, which may include knowledge regarding a significant cybersecurity incident experienced by the company.

Equifax Data Breach

Equifax experienced one of the most devastating data breaches in U.S. history, as the personal information of over 145 million Americans was exposed. Meanwhile, several executives, including the Equifax CEO at that time, Richard Smith, sold stock worth over $1.8 million after learning of the data breach and before making the information public.

However, despite the SEC issuing the new guidance and clarifying that this was illegal, it previously declined to investigate the Equifax executives for insider trading. The executives are still under criminal investigation by the Justice Department.

Intel’s Meltdown

Although Intel said that its CEO’s stock sale was “planned” for last fall, it turned out that Krzanich planned the sale only after learning about the Meltdown and Spectre vulnerabilities from Google. Again, this should not be allowed, according to the SEC’s new guidance, but for now it’s not clear if the agency is pursuing an investigation against Krzanich.

Either way, other companies were put on notice if they allow their executives to sell stock during internal security incident investigations, but how well the companies respect this new guidance may depend on how willing the SEC is to enforce its own rules when companies break them.

TOPICS
Lucian Armasu
Lucian Armasu
Lucian Armasu is a Contributing Writer for Tom's Hardware US. He covers software news and the issues surrounding privacy and security.
8 Comments Comment from the forums
  • popatim
    They need to prosecute and fine these people! We all know this is illegal and so did they! Everyone else will understand this 'gentle reminder' and not do it so openly.

    The rest of the public will see that this isn't really the Corporate States of America, where those with the money can do whatever they want...
    Reply
  • Brian_R170
    Security is heating up worldwide. For high-tech companies with enough high-profile products in the market, there will come a time, when there is ALWAYS a "security incident" in a company's product line that is known but not yet publicly disclosed. It would not surprise me if that time has already come for companies like Intel, Microsoft, Apple, Google, etc.
    Reply
  • manleysteele
    20732885 said:
    Security is heating up worldwide. For high-tech companies with enough high-profile products in the market, there will come a time, when there is ALWAYS a "security incident" in a company's product line that is known but not yet publicly disclosed. It would not surprise me if that time has already come for companies like Intel, Microsoft, Apple, Google, etc.

    That dog has been off the porch for a long time for those four companies.
    Reply
  • Olle P
    20732885 said:
    ... For high-tech companies with enough high-profile products in the market, ... there is ALWAYS a "security incident" in a company's product line that is known but not yet publicly disclosed. ...
    ... and the obvious solution is that anybody with inside information in these matters is totally forbidden from trading stock of that company!

    What disturb me is the part:
    ... companies were put on notice if they allow their executives to sell stock during internal security incident investigations, but how well the companies respect this new guidance...
    In what way can the companies (dis)allow this?
    If any company learn about insider trading by an executive the proper action is of course to first notice the authorities and Trade Comission. (Failing to do so should also be criminal!)
    Then the company can decide wether or not to take any further actions against the criminal person(s).
    Reply
  • gaaah
    And we all know how devastating a "reminder" can be. If these guys try it again they're likely in danger of being chided, or worse, scolded!
    Reply
  • popatim
    Or the worst, they might have to stay in their mansion for a whole week! Oh the Horror!
    Reply
  • 10tacle
    I was on vacation for a week and am just catching up on Tom's back stories. When I first read this headline I thought it was referring to *anyone* dumping stock, not just employees (execs or otherwise) which I'd have a major problem with. The key here is the companies taking action against said employees and notifying the SEC before the news of a security breach went public. If the SEC starts heavily fining said companies who fail to act then you can bet that more will do their duty. With that said however and alluding to Lucian's closing comment in the article, if the SEC does not enforce their own laws and punishment, then what is the point?

    Finally, the next question to address is when are companies going to be fined for concealing and delaying notifying the public about a security breach? We've seen it from Yahoo, Sony's Playstation Network, Target, and several others who have delayed notifying the public. The corporations themselves need to be fined as well for not timely notifying the public and trying to internally rectify the situation before it goes public. But more often than not by the time they take action, the damage has spread and gotten out of control. In Sony's defense they fined themselves in essence by giving us PS3 owners a month free of PSN Plus membership and two free AAA title games to download (this was during the PS3 days prior to the PS4 and when you didn't need to purchase a PS+ subscription to game online).
    Reply
  • Olle P
    20747123 said:
    ... the next question to address is when are companies going to be fined for concealing and delaying notifying the public about a security breach? ...
    Within EU that's just around the corner. A new "GDPR" act that will supercede any previous laws in a few months state (amongst other things) that companies are required to detect and act upon breeches.
    Many companies are now very busy trying to implement the legal requirements to fulfil the new law.

    Reply