The SEC is recommending that if a cyber event occurs and leads to a data breach, then the company should provide “certain disclosures of losses that are at least reasonably possible.”
Stressing that “no existing [securities law] disclosure requirement explicitly refers to cybersecurity risks and cyber incidents”, the SEC said that companies should nevertheless "disclose the risk of cyber incidents if these issues are among the most significant factors that make an investment in the company speculative or risky.”
The regulator said that disclosures should include discussion of aspects of the company’s business or operations that give rise to material cybersecurity risks and the potential costs and consequences; description of outsourced functions and how the company addresses those risks; description of cyber incidents experienced by the company that are material, including a description of the costs and other consequences; risks related to cyber incidents that may remain undetected for an extended period; and description of relevant insurance coverage.
The issuing of the cybersecurity guidelines comes five months after a group of Democratic senators called on the SEC to issue national guidelines on data breach disclosures. In a May 11 letter sent to SEC Chairman Mary Schapiro, the senators wrote: “Given inconsistencies in reporting, investor confusion, and the national importance of addressing cybersecurity, we request that the Securities and Exchange Commission issue guidance regarding the disclosure of information security risk, including material network breaches.”