SEC issues guidance on corporate cybersecurity disclosure to investors

The Securities and Exchange Commission voted unanimously Tuesday to approve an interpretive guidance for public companies on how to prepare disclosures about cybersecurity risks and incidents.

SEC Chairman Jay Clayton said in a statement that the moves "will promote clearer and more robust disclosure by companies about cybersecurity risks and incidents, resulting in more complete information being available to investors." He urged public companies to examine controls and procedures with both disclosure obligations and reputational considerations in mind.

The guidance is aimed at helping public companies prepare cybersecurity disclosures required by federal securities laws. Two topics added since the 2011 guidance are the importance of cybersecurity policies and procedures, and how insider-trading bans apply in the cybersecurity context.

In her own statement, Commissioner Kara Stein expressed disappointment with what she called "limited actions," noting that similar staff guidance was developed in 2011, while cybersecurity incidents have become a growing problem. "This to me strongly suggests that guidance alone is inadequate," Ms. Stein said. While noting that the SEC has limited options without engaging in formal rulemaking, "it is imperative that the commission do more," she said.

Commissioner Robert Jackson said in his own statement that he reluctantly approved the guidance, which he hopes "is just the first step."

The guidance, which will be published in the Federal Register shortly, estimates that the average organizational cost of a data breach in the United States in 2016 was $7.35 million, according to a Ponemon Institute study of 419 companies in 13 countries and regions cited in the guidance, which said that the total cost to a company in connection with a particular incident "could be much higher" when factoring in ransom, reputational risk and other costs.