The SEC says companies must disclose more information about cybersecurity risks

The U.S. Securities and Exchange Commission issued new guidance calling on public companies to be more forthcoming when disclosing cybersecurity risks, even before a breach or attack happens. The statement, which expands on previous guidance issued in 2011, also warns that corporate insiders must not trade shares when they have information about cybersecurity issues that isn’t public yet.

While the commission’s five members voted unanimously to approve the guidance, both of its Democratic commissioners said it needs to take more action (the SEC as a group is non-partisan, with no more than three out of its five commissioners allowed to belong to the same party).

The guidance was issued as an “interpretive release,” which the SEC uses to publish their views and interpret federal securities laws and SEC regulations. In it, the commission urged companies to develop policies that allow them to quickly assess cybersecurity risks and decide when to tell the public, and also prevent executives, board members and other corporate insiders from trading shares when they have important information that hasn’t been released yet.

Back in 2011, the SEC’s Division of Corporation Finance first published guidance about disclosing cybersecurity risks and incidents, which was necessary at the time because there were no existing disclosure requirements that specifically addressed cybersecurity issues.

Over the past seven years, however, cybersecurity breaches have become increasingly commonplace, so the SEC decided to expand on its 2011 guidance.

“Given the frequency, magnitude and cost of cybersecurity incidents, the Commission believes that it is critical that public companies take all required actions to inform investors about material cybersecurity risks and incidents in a timely fashion, including those companies that are subject to material cybersecurity risks but may not yet have been the target of a cyber-attack,” the SEC said.

The SEC’s new guidance doesn’t mention specific incidents, but it comes about five months after the massive Equifax data breach, which compromised the personal information of about 145.5 million people. The credit bureau was criticized for taking too long to inform users about the incident and the Justice Department is also reportedly investigating large sales of shares by executives between when the company learned of the breach and when it became public.

The SEC added that even though companies are not required to reveal sensitive information that could compromise their cybersecurity measures, they also cannot use internal or law enforcement investigations as an excuse for not informing the public.

“We also recognize that it may be necessary to cooperate with law enforcement and that ongoing investigation of a cybersecurity incident may affect the scope of disclosure regarding the incident. However, an ongoing internal or external investigation–which often can be lengthy–would not on its own provide a basis for avoiding disclosures of a material cybersecurity incident,” the guidance stated.

In a statement published with the guidance, SEC chairman Jay Clayton, a political independent, said “I believe that providing the Commission’s views on these matters will promote clearer and more robust disclosure by companies about cybersecurity risks and incidents, resulting in more complete information being available to investors.”

The two Democrats on the SEC, however, said the guidance doesn’t go far enough. In a statement, SEC commissioner Kara Stein said many public companies still provide disclosures about cybersecurity risks that are “far from robust” and that she is “disappointed with the Commission’s limited action.”

“In effect, we could have helped companies formulate more meaningful disclosure for investors. Instead, yesterday’s guidance provides only modest chnages to the 2011 staff guidance,” she wrote. Instead of just issuing guidance, Stein believes that the SEC needs to consider issuing rules that would require companies to develop and implement stronger cybersecurity-related policies and procedures.

In his statement, commissioner Robert J. Jackson, the other Democrat on the SEC, wrote, “I reluctantly support today’s guidance in the hope that it is just the first step toward defeating those who would use technology to threaten our economy. The guidance essentially reiterates years-old staff-level views on this issue. But economists of all stripes agree that much more needs to be done.”

The two Republicans on the commission, Michael Piwowar and Hester Peirce, did not issue separate statements about the guidance.