Public companies received new guidance from the SEC on Wednesday on the disclosures they should make related to cybersecurity.
The previous guidance, issued in October 2011, stated that companies may be obligated to disclose cybersecurity risks and incidents, but it did not provide specific disclosure requirements. The increasing number and severity of cybersecurity incidents has led the SEC to conclude that more specific disclosure requirements are necessary.
In an interpretation and statement issued Wednesday, the SEC stated that it expects companies to disclose cybersecurity risks and incidents that are material to investors, including financial, legal, or reputational consequences.
“I believe that providing the commission’s views on these matters will promote clearer and more robust disclosure by companies about cybersecurity risks and incidents, resulting in more complete information being available to investors,” SEC Chairman Jay Clayton said in a news release. “In particular, I urge public companies to examine their controls and procedures, with not only their securities law disclosure obligations in mind, but also reputational considerations around sales of securities by executives.”
When companies become aware of a cybersecurity incident or risk that would be material to investors, they are required to make appropriate disclosures in a timely manner, before the offer and sale of securities, the SEC said. In addition, steps should be taken to prevent directors, officers, and other corporate insiders from trading in company securities until investors are appropriately informed.
Although companies may not have all the facts at the time of the initial disclosure, the SEC said an internal or external investigation is not a basis for avoiding disclosures of a material cybersecurity incident.
The guidance also includes issues for companies to consider as they evaluate disclosure of cybersecurity risk factors. In the management discussion and analysis, meanwhile, the SEC states that companies may need to disclose costs and risks related to cybersecurity, as well as the costs of combating cyberattacks.
In addition, the guidance discusses the potential effects of cybersecurity risk on the definition of a business, disclosures of legal proceedings, financial statement disclosures, and disclosures of board risk oversight.
— Ken Tysiac (Kenneth.Tysiac@aicpa-cima.com) is a JofA editorial director.