The Securities and Exchange Commission (SEC) [official website] a statement and guidance [official document] on Wednesday warning public companies of their obligation to disclose cybersecurity breaches or threats.
The SEC said that, “Given the frequency, magnitude and cost of cybersecurity incidents, the commission believes that it is critical that public companies take all required actions to inform investors about material cybersecurity risks and incidents in a timely fashion.” The SEC made it apparent that companies do not have to disclose the details of cybersecurity as to make their company even more vulnerable to attack, but if a company is particularly susceptible to an attack, it should be reported.
The statement said that companies are obligated to disclose certain cyber-security breaches in a timely fashion under the Securities Act of 1933 and the Securities Exchange Act of 1934. These acts require companies to report on a variety of information.
The guidance warned companies they must disclose “material” information that investors should be aware, i.e. a security breach or likelihood of a breach. The guidance stated that companies should enact policies and procedures to protect against insider trading before the information becomes public, and the ensure that these breaches are disclosed to the SEC.