SEC Issues Cybersecurity Risk Guidance for Companies
The SEC adopted interpretive guidance to help companies prepare disclosures about cybersecurity risks and incidents, the agency said Wednesday. Chairman Jay Clayton said the guidance highlights federal securities laws' disclosure requirements and the importance of policies and procedures for disclosure controls. He said the aim of the guidance is "clearer and more robust disclosure by companies" about cybersecurity risks, giving investors more complete information. The commission said it's not suggesting companies must make detailed disclosures such as specific technical information about their systems or potential system vulnerabilities, but they should disclose incidents and risks material to investors, including financial, legal or reputational consequences. The agency said companies might need to disclose previous or ongoing incidents to put risk discussions in context.