WASHINGTON—The U.S. Securities and Exchange Commission (SEC) has issued cyber-security guidance.
Called “principles-based” by the SEC, the guidance clarifies how the commission views the disclosure responsibility of public companies that have fallen victim to a cyber-attack.
“I believe that providing the Commission's views on these matters will promote clearer and more robust disclosure by companies about cyber-security risks and incidents, resulting in more complete information being available to investors,” the SEC chairman Jay Clayton said in a statement, adding that “in today's environment, cyber-security is critical to the operations of” markets and companies, which “increasingly rely on and are exposed to digital technology as they conduct their business operations and engage with their customers, business partners, and other constituencies.”
Noting the “frequency, magnitude and cost of cyber-security incidents,” the SEC said it was “critical that public companies take all required actions to inform investors about material cyber-security risks and incidents in a timely fashion, including those companies that are subject to material cyber-security risks but may not yet have been the target of a cyber-attack,” SC Media reported.
The guidance said disclosure controls and procedures that have a mechanism for determining the impact of a cyber-attack or incident are key to a public company being able to “to make any required disclosure of cyber-security risks and incidents in the appropriate timeframe,” stressing that “a company's directors, officers, and other persons responsible for developing and overseeing such controls and procedures are informed about the cyber-security risks and incidents that the company has faced or is likely to face,” SC Media reported.
The SEC's guidance calls for public companies to “have policies and procedures in place to guard against directors, officers, and other corporate insiders taking advantage of the period between the company's discovery of a cyber-security incident and public disclosure of the incident to trade on material nonpublic information about the incident, and help ensure that the company makes timely disclosure of any related material nonpublic information,” SC Media reported.
The commission said that companies should consider “the ramifications of directors, officers, and other corporate insiders trading in advance of disclosures regarding cyber-incidents that prove to be material.”