On March 9, 2022, the SEC proposed rules mandating cybersecurity disclosure, including a new Item 1.05 for Form 8-K, which requires current reporting of cybersecurity incidents deemed by the registrant to be material.
In a 2018 article published in the Harvard Business Law Review, Columbia Law Professor Eric Talley and I identify trading patterns suggestive of informed trading prior to the disclosure of cybersecurity breaches. We argue that trading of this type raises complex and, in context, unique concerns over price discovery, liquidity, and efficient allocation of resources. Profits from such trading may increase hackers’ incentives to exploit security vulnerabilities, leading to impersonation, identity theft, and greater dissemination of stolen personal information. These represent real economic costs not present in garden variety information-trading contexts. Consequently, informed cyber-trading plausibly justifies enhanced legal scrutiny of those who profit from the activity.
The treatment of informed trading on cybersecurity breaches is complicated under existing law. It is unlawful for an agent or fiduciary to trade on a firm’s material non-public information, for third parties to steal such information, or for a person to spread false information about a cybersecurity risk in order to manipulate stock prices. But if third parties were simply to use computer queries to access, discover, trade upon, and then expose bona fide cybersecurity vulnerabilities, they might face little liability under current law. It is thus critical to have effective ongoing disclosure of cybersecurity vulnerabilities, as the SEC proposes.
The SEC should be commended for its thoughtful and comprehensive proposal. In general, mandating current reporting of cybersecurity incidents on Form 8-K is likely to protect investors by reducing information asymmetry and enhancing share-price accuracy in the market. The SEC’s attention to academic scholarship on this topic is also commendable and reflects a commitment to high-quality public policy. Yet I will raise a few specific questions and comments.
First, the proposed rule provides, “A report pursuant to Item 1.05 is to be filed within four business days after the registrant determines that it has experienced a material cybersecurity incident.” In other research (“The 8-K Trading Gap”), I and co-authors Professor Alma Cohen and former SEC Commissioner Robert Jackson show that corporate insiders trade during this four-day period between the occurrence of a material event and the filing of a Form 8-K like that which would be filed to disclose a material cybersecurity incident.
In January 2020, by a vote of 384-7, the U.S. House passed the 8-K Trading Gap Act, which would prevent executive officers and directors from trading their securities after a significant corporate event but before disclosing that event through a public filing. To reduce insider trading in connection with cybersecurity incidents, SEC may wish to consider prohibiting insider trading during this four-day period.
Second, the proposed rule provides, “No failure to file a report on Form 8-K that is required solely pursuant to . . . Item 1.05 . . . of Form 8-K shall be deemed to be a violation of 15 U.S.C. 78j(b) and § 240.10b-5.” Most insider trading cases are prosecuted as a violation of Rule 10b-5 under the theory that the insider had a duty to disclose or abstain from trading. The SEC may wish to reconsider whether this safe harbor is necessary, as it may weaken the deterrent effect of the rule on trading on material, nonpublic information. The stated justification – that these safe harbors are appropriate “if the triggering event for the Form 8-K requires management to make a rapid materiality determination” – may not be as compelling in the cybersecurity setting.
Finally, the disclosure obligation only arises when a cybersecurity incident is “determined by the registrant to be material.” Suppose a firm deems a material cybersecurity incident to be immaterial. Is there a violation of the 8-K reporting rules? The proposed rule already requires that the determination be made “as soon as reasonably practicable after discovery of the incident.” Perhaps the SEC should require that there be a reasonable basis for the materiality determination, which would allow for an ex post inquiry not only into the reasonableness of the timing but also of the factual basis for the determination.
This post comes to us from Joshua Mitts, associate professor of law and Milton Handler Fellow at Columbia Law School.