SEC publishes new requirements for cybersecurity disclosures

SEC publishes new requirements for cybersecurity disclosures

Public companies received new guidance from SEC on Wednesday on disclosures y should make d to cybersecurity.

previous guidance, issued in October 011, stated that companies may be oblid to disclose cybersecurity risks and incidents, but it did not provide specific disclosure requirements. ineasing number and severity of cybersecurity incidents has led SEC to conclude that more specific disclosure requirements are necessary.

In an interpretation and statement issued Wednesday, SEC stated that it expects companies to disclose cybersecurity risks and incidents that are material to investors, including financial, legal, or reputational consequences.

“I believe that providing commission’s views on se matters will promote clearer and more robust disclosure by companies about cybersecurity risks and incidents, resulting in more complete information being available to investors,” SEC Chairman Jay Clayton said in a release. “In particular, I urge public companies to examine ir controls and , with not only ir securities law disclosure obligations in mind, but also reputational conrations around sales of securities by executives.”

When companies become aware of a cybersecurity incident or risk that would be material to investors, y are required to make appropriate disclosures in a timely manner, before offer and sale of securities, SEC said. In addition, steps should be taken to prevent directors, officers, and or corporate inrs from trading in company securities until investors are appropriately informed.

Although companies may not have all facts at time of initial disclosure, SEC said an internal or external investigation is not a basis for avoiding disclosures of a material cybersecurity incident.

guidance also includes issues for companies to conr as y evaluate disclosure of cybersecurity risk factors. In discussion and ysis, meanwhile, SEC states that companies may need to disclose costs and risks d to cybersecurity, as well as costs of combating cyberattacks.

In addition, guidance discusses potential effects of cybersecurity risk on definition of a business, disclosures of legal proceedings, financial statement disclosures, and disclosures of board risk overht.

Ken Tysiac ( is a JofA editorial director.