The Securities and Exchange Commission approved a new set of guidelines Wednesday urging companies to be more forthcoming in disclosing known cyber risks and incident reports following breaches.
The latest report builds on a set of 2011 guidelines and requires companies implement policies to more rapidly assess cyber threats and detail potential vulnerabilities in its SEC filings.
“Yesterday, the Commission approved the issuance of an interpretive release to provide guidance to public companies when preparing disclosures about cyber security risks and incidents,” SEC Chairman Jay Clayton said in a statement. “Companies increasingly rely on and are exposed to digital technology as they conduct their business operations and engage with their customers, business partners, and other constituencies. This reliance on and exposure to our digitally-connected world presents ongoing risks and threats of cyber security incidents for all companies, including public companies regulated by the Commission.”
Following 2017’s massive Equifax [EFX] data breach, which resulted in the loss of 145 million Americans’ personal data, SEC officials hope their new guidelines push companies towards adopting more comprehensive cyber security policies.
The new guidelines don’t offer a specific timeline for when breaches must be disclosed, and Clayton advised that SEC policy still allows for companies to make their own decisions related to discussing cyber material events.
“We do not expect companies to publicly disclose specific, technical information about their cyber security systems, the related networks and devices, or potential system vulnerabilities in such detail as would make such systems, networks, and devices more susceptible to a cyber security incident,” SEC officials wrote in their report. “Nevertheless, we expect companies to disclose cyber security risks and incidents that are material to investors, including the concomitant financial, legal, or reputational consequences.”
Companies are required to assess their controls for regularly reporting cyber vulnerabilities in their SEC filings, and put procedures in place to improve information sharing capabilities on potential cyber breaches.
Ongoing internal investigations do not provide sufficient basis for avoiding cyber disclosures, according to the new guidelines.
While receiving unanimous approval from the commission’s five members, Commissioner Kara Stein released a statement citing several shortcomings with the new guidelines.
“When the chairman put cyber security on the Commission’s agenda, I was very supportive. Unfortunately, I am disappointed with the Commission’s limited action,” Stein said in a statement. “To be sure, these are all valuable reminders and raising them to the Commission level indicates a level of significance the staff guidance from seven years ago simply does not. The problem, however, is that many of these reminders were offered by the staff back in 2011. If our staff has already provided guidance regarding cyber-related disclosures, the question, then, is what we, as the Commission, should be doing to add value given seven additional years of insight and experience.”
The new guidelines place added pressure on companies to adopt cyber policies, but didn’t offer an update on the specific issues SEC has noticed and where companies are lagging in their threat sharing procedures, according to Stein.
Stein cited a 2014 study of the SEC’s previous guidelines, which supposedly resulted in “a series of disclosures that rarely provide differentiated or actionable information for investors.”
An update to the new guidelines could include SEC findings on the most prominent cyber threats, updates on the latest technological advances by cyber actors and more input from academia and cyber experts on how to best protect private sector networks.
“Simply put, seven years since the staff guidance was released, despite dramatic increases in cyber attacks and their related costs, there have been almost imperceptible changes in companies’ disclosures. This to me strongly suggests that guidance alone is inadequate,” Stein said.