The U.S. Securities and Exchange Commission (SEC) has voted unanimously to approve guidance designed to assist public companies in preparing disclosure about cybersecurity risks and incidents.
The new guidance sets out the regulator’s expectations public companies’ disclosure obligations involving cybersecurity breaches and firms’ cyber risks.
It also deals with issuers’ cybersecurity policies, disclosure controls, insider trading prohibitions, and restrictions on selective disclosure, in the context of cybersecurity.
“I believe that providing the commission’s views on these matters will promote clearer and more robust disclosure by companies about cybersecurity risks and incidents, resulting in more complete information being available to investors,” says Jay Clayton, SEC chairman, in a statement.
“In particular, I urge public companies to examine their controls and procedures, with not only their securities law disclosure obligations in mind, but also reputational considerations around sales of securities by executives,” he adds.