24 February 2019
The US Securities and Exchange Commission is seeking 'clearer and more robust disclosure' by firms facing cyber-security issues. Photo: Bloomberg
The US Securities and Exchange Commission is seeking 'clearer and more robust disclosure' by firms facing cyber-security issues. Photo: Bloomberg

US regulator updates guidance on cyber-risk disclosures

The US markets regulator on Wednesday updated guidance to public companies on how and when they should disclose cyber-security risks and breaches, including potential weaknesses that have not yet been targeted by hackers, Reuters reports.

In its guidance, the Securities and Exchange Commission (SEC) also said that company executives must not trade in a firm’s securities while possessing non-public information on cyber-security attacks, according to the report.

The regulator encouraged firms to consider adopting specific policies restricting executive trading in shares while a hack is being investigated and before it is disclosed.

The SEC, which unanimously approved the additional guidance, will promote “clearer and more robust disclosure” by firms facing cyber-security issues, according to Chairman Jay Clayton, a Republican.

Democrats on the commission reluctantly supported the guidance, describing it as a paltry step taken in the wake of a raft of high-profile hacks at major companies that exposed millions of Americans’ personal information.

The SEC first issued guidance on cyber disclosures in 2011. There has since been a surge in breaches, including one at the SEC itself.

The new guidance will mean an increase in information disclosed on cyber-attacks and risks.

In other news, the operator of a shuttered bitcoin-denominated exchange was arrested on Wednesday on federal charges that he lied to US securities regulators to avoid taking responsibility for the theft by hackers of virtual currency, Reuters reported.

Federal prosecutors in Manhattan announced the charges against BitFunder founder Jon Montroll the same day the SEC filed a lawsuit accusing him and the company of running an unregistered securities exchange that defrauded its users.

Montroll, a resident of Saginaw, Texas, was charged in a criminal complaint with perjury and obstruction of justice and was arrested in his home state. 

Prosecutors said Montroll operated WeExchange Australia, which functioned as a bitcoin depository and exchange service, and, which allowed users to sell virtual shares of business entities in exchange for bitcoins.

According to a criminal complaint, hackers in 2013 exploited a weakness in BitFunder’s programming code to cause it to credit them with profits they had not actually earned, allowing them to withdraw 6,000 bitcoins from WeExchange.

Due to the hacking, BitFunder and WeExchange lacked enough bitcoins to cover what Montroll owed users, prosecutors said. Yet they said that during a subsequent SEC probe, Montroll denied that the exploit the hackers used had been successful.

Three days after the hacking, Montroll, using an alias, is said to have participated in an online chat in which he sought the help from the principal of a different bitcoin exchange to track down “stolen bitcoins”.

He later transferred some of his own bitcoins into WeExchange to conceal the losses, prosecutors said. BitFunder shut down in 2013.

At the time, the more than 6,000 bitcoins the hackers stole were worth about US$775,000. Today, those bitcoins are worth nearly US$70 million, according to the criminal complaint.

– Contact us at [email protected]


EJI Weekly Newsletter

Please click here to unsubscribe