Companies have remained mum on all things related to cybersecurity for quite a long time, but that may soon change as the Securities and Exchange Commission (SEC) updated its guidance saying publicly traded companies need to release incident and risk information.
Companies should inform investors in a timely fashion of all cybersecurity incidents and risks – even if the firm has not actually been targeted in a malicious attack, said SEC officials.
This all comes after the SEC published an interpretive guidance to assist public companies in preparing disclosures about cybersecurity risks and incidents.
“Companies today rely on digital technology to conduct their business operations and engage with their customers, business partners, and other constituencies. In a digitally connected world, cybersecurity presents ongoing risks and threats to our capital markets and to companies operating in all industries, including public companies regulated by the Commission.
“As companies’ exposure to and reliance on networked systems and the Internet have increased, the attendant risks and frequency of cybersecurity incidents also have increased. Today, the importance of data management and technology to business is analogous to the importance of electricity and other forms of power in the past century,” the SEC document said.
In addition, the SEC also believes companies should develop controls and procedures for assessing the impact of incidents and risks.
“Public companies should have policies and procedures in place to guard against directors, officers, and other corporate insiders taking advantage of the period between the company’s discovery of a cybersecurity incident and public disclosure of the incident to trade on material nonpublic information about the incident, and help ensure that the company makes timely disclosure of any related material nonpublic information,” said the SEC document.
The SEC’s cybersecurity incident disclosure guidance was first released in 2011 and it has now been updated to reinforce and expand previous recommendations.