Securities and Exchange Commission issues its first guidance for how and when companies should report cybersecurity or other incidents that pose a cyber risk.
The Securities and Exchange Commission (SEC) has issued its first official guidance for how companies should report cybersecurity incidents that could have a negative impact on operations or their financial status.
The SEC's division of corporate finance this week presented several specific criteria for the disclosure of cyber incidents, according to guidance presented on its website.
The SEC long has required companies to report any incidents that could impact their financial performance, but to date has not outlined requirements for disclosing cybersecurity or other cyber incidents in particular.
However, with the growing dependence on the Internet and other digital communications for business functions, companies as well as their accountants and lawyers have asked the SEC to provide a framework for disclosing cyber incidents, according to the commission.
"As a result, we determined that it would be beneficial to provide guidance that assists registrants in assessing what, if any, disclosures should be provided about cybersecurity matters in light of each registrant's specific facts and circumstances," the SEC said.
According to the SEC, companies should disclose the risk of cyber incidents if "these issues are among the most significant factors that make an investment in the company speculative or risky." Companies should consider prior cyber incidents and the severity and frequency of those incidents to determine if they need to report a cyber risk, according to the guidance.
The SEC also advises companies to take into account the actions they take to prevent and reduce risks in the context of their particular industry, as well as risks to that security. To put risks reported under these criteria in context, the SEC said a company may need to disclose "known or threatened cyber incidents."
Companies also should address cybersecurity risks in their management, discussion, and analysis (MD&A) reporting if costs or consequences of a known risk will have a material impact on the company, according to the SEC.
Moreover, cyber incidents that could materially affect products, services, relationships with customers or suppliers, or competitive conditions also should be reported. This should be done in a company's "description of business" reporting, according to the SEC.
Cybersecurity incidents also may need to be reported on a company's financial statements, "depending on the nature and severity of the potential or actual incident," the commission said.