Question
Public companies received newguidancefrom the SEC on Wednesday on the disclosures they should make related to cybersecurity. The previous guidance, issued in October 2011, stated
Public companies received newguidancefrom the SEC on Wednesday on the disclosures they should make related to cybersecurity.
The previous guidance, issued in October 2011, stated that companies may be obligated to disclose cybersecurity risks and incidents, but it did not provide specific disclosure requirements. The increasing number and severity of cybersecurity incidents has led the SEC to conclude that more specific disclosure requirements are necessary.
In an interpretation and statement issued Wednesday, the SEC stated that it expects companies to disclose cybersecurity risks and incidents that are material to investors, including financial, legal, or reputational consequences.
"I believe that providing the commission's views on these matters will promote clearer and more robust disclosure by companies about cybersecurity risks and incidents, resulting in more complete information being available to investors," SEC Chairman Jay Clayton said in a news release."In particular, I urge public companies to examine their controls and procedures, with not only their securities law disclosure obligations in mind, but also reputational considerations around sales of securities by executives."
When companies become aware of a cybersecurity incident or risk that would be material to investors, they are required to make appropriate disclosures in a timely manner, before the offer and sale of securities, the SEC said. In addition, steps should be taken to prevent directors, officers, and other corporate insiders from trading in company securities until investors are appropriately informed.
Although companies may not have all the facts at the time of the initial disclosure, the SEC said an internal or external investigation is not a basis for avoiding disclosures of a material cybersecurity incident.
The guidance also includes issues for companies to consider as they evaluate disclosure of cybersecurity risk factors. In the management discussion and analysis, meanwhile, the SEC states that companies may need to disclose costs and risks related to cybersecurity, as well as the costs of combating cyberattacks.
In addition, the guidance discusses the potential effects of cybersecurity risk on the definition of a business, disclosures of legal proceedings, financial statement disclosures, and disclosures of board risk oversight.
- Review the following article and discuss 3 reasons why you believe the SEC has mandated new requirements for public companies. Additionally, discuss two ways this may impact stakeholder's decisions.
Step by Step Solution
There are 3 Steps involved in it
Step: 1
Get Instant Access to Expert-Tailored Solutions
See step-by-step solutions with expert insights and AI powered tools for academic success
Step: 2
Step: 3
Ace Your Homework with AI
Get the answers you need in no time with our AI-driven, step-by-step assistance
Get Started