By Pete Schroeder
WASHINGTON (Reuters) – The U.S. Securities and Exchange Commission on Wednesday updated guidance to public companies on how and when they should disclose cyber security risks and breaches, including disclosing potential weaknesses that have not yet been targeted by hackers.
The guidance also said company executives must not trade in a firm’s securities while possessing nonpublic information on cyber security attacks. The SEC encouraged companies to consider adopting specific policies restricting executive trading in shares while a hack is being investigated and before it is disclosed.
It discourages companies from withholding disclosure simply because of an ongoing investigation into a cyber security matter.
The SEC, in unanimously approving the additional guidance, said it would promote "clearer and more robust disclosure" by companies facing cyber security issues, said SEC Chairman Jay Clayton, a Republican.
"I urge public companies to examine their controls and procedures, with not only their securities law disclosure obligations in mind, but also reputational considerations around sales of securities by executives," Clayton said in a statement.
The new guidance builds on staff guidance first issued in 2011 by the SEC on cyber security disclosures. Since then, there have been several high-profile hacks of sensitive data, including at the SEC, where hackers gained access the its corporate filing system known as EDGAR.
The two Democratic members of the five-member bipartisan commission wanted to see the agency do more to push companies to boost their cyber security, including adopting formal rules.
Commissioner Robert Jackson said the new document "essentially reiterates years-old staff-level views on this issue."
"It may provide investors a false sense of comfort that we, at the Commission, have done something more than we have," she said in a statement.