The U.S. Securities and Exchange Commission clarified SEC cybersecurity disclosure rules this week, which could have big implications for how enterprises respond to data breaches and other security incidents.

The agency released a new guidance on how publicly traded companies are expected to handle cybersecurity disclosures and investigations, especially as they relate to insider trading. The "Commission Statement and Guidance on Public Company Cybersecurity Disclosures" spells out the details of SEC cybersecurity disclosure rules. Now, security incidents and security risks are considered "material," meaning they can affect the value of the company's stock. Publicly traded companies are obligated to publicly report them and avoid trading shares before they do so.

"Given the frequency, magnitude and cost of cybersecurity incidents, the Commission believes that it is critical that public companies take all required actions to inform investors about material cybersecurity risks and incidents in a timely fashion, including those companies that are subject to material cybersecurity risks but may not yet have been the target of a cyber-attack," the SEC guidance read.

The SEC explicitly noted that such information can be considered insider knowledge, and "directors, officers, and other corporate insiders must not trade a public company's securities while in possession of material nonpublic information, which may include knowledge regarding a significant cybersecurity incident experienced by the company."

SEC Chairman Jay Clayton, in a press release, urged public companies "to examine their controls and procedures, with not only their securities law disclosure obligations in mind, but also reputational considerations around sales of securities by executives."

The new SEC cybersecurity disclosure rules come in the wake of Intel CEO Brian Krzanich's sale of company stock after the chipmaker became aware of the Spectre and Meltdown flaws, but before that news was made public. Krzanich sold $24 million worth of Intel stock in a scheduled sale that occurred on Nov. 29 of last year -- the same day Intel first informed OEM partners of the Meltdown and Spectre vulnerabilities.

Casey Ellis Casey Ellis

Krzanich's sale isn't the only stock sale to be scrutinized recently. Last September, Bloomberg reported three Equifax executives had made unscheduled stock sales totaling over $1.8 million before news of the Equifax breach was made public; in November, the Equifax board declared those sales were not made on the basis of insider trading.

Concerns about how security incidents can affect stock prices go back further, according to Casey Ellis, CTO and founder of Bugcrowd, based in San Francisco, who said he suspected the issue dates back to the attempt to profit from news about a vulnerability in cardiac devices that was expected to affect St. Jude Medical's shares in 2016.

"The challenge is no longer whether there's an advantage to be gained by trading with this knowledge, but rather what the rules should be to avoid this possibility in the first place. There's also a fascinating parallel between this thread and the work being done by the Senate around mandatory breach disclosure," Ellis said. "They both involve broad disclosure to protect the consumer, but the Senate is focused on protection of the average user's data, while the SEC is thinking about protection of the average person from insider trading."