The U.S. Securities and Exchange Commission on Feb. 21 issued revised guidance on how public companies should handle disclosures of cybersecurity threats and breaches.
"I believe that providing the Commission's views on these matters will promote clearer and more robust disclosure by companies about cybersecurity risks and incidents, resulting in more complete information being available to investors," said SEC Chairman Jay Clayton.
"In particular, I urge public companies to examine their controls and procedures, with not only their securities law disclosure obligations in mind, but also reputational considerations around sales of securities by executives," Clayton added.
The agency noted that companies should disclose risks, even if they have not been exploited by hackers. In addition, the SEC warned insiders not to trade on information about undisclosed breaches.
By the same token, the guidance noted that the companies need not disclose information that might create openings for hackers. "We do not expect companies to publicly disclose specific, technical information about their cybersecurity systems, the related networks and devices, or potential system vulnerabilities in such detail as would make such systems, networks, and devices more susceptible to a cybersecurity incident," the guidance states.
"Nevertheless, we expect companies to disclose cybersecurity risks and incidents that are material to investors, including the concomitant financial, legal, or reputational consequences."