The commission’s guidance document emphasizes that threats from cybersecurity concerns have increased, as have the costs associated with cybersecurity incidents. Given the “frequency, magnitude and cost of cybersecurity incidents,” the Commission believes that is “important” that reporting companies “take all required actions to inform investors” about cybersecurity risks and incidents in a timely fashion. To fulfil these obligations, the Commission emphasizes the importance for public companies to maintain appropriate disclosure procedures and controls.
In highlighting reporting companies’ cybersecurity disclosure obligations, the guidance document does not rely on or propose new duties or requirements; to the contrary, the Commission emphasizes that the disclosure requirements discussed in the document arise under existing reporting obligations. The guidance document notes – but does not provide any particularly helpful direction – concerns reporting companies may have about the possibility of cybersecurity disclosure providing a road map for potential intruders; problems associated with disclosure timing, particularly where all facts may not be known; and particular concerns about disclosure that may arise while law enforcement investigation is still underway.
via SEC Releases Cybersecurity Disclosure Guidance | The D&O Diary