S.E.C.’s New Cybersecurity Guidance Won’t Spur More Disclosures
- 6 years ago
S.E.C.’s New Cybersecurity Guidance Won’t Spur More Disclosures
The regulator tells companies that they need to have in place “disclosure controls and procedures
that provide an appropriate method of discerning the impact that such matters may have on the company and its business, financial condition and results of operations.” Just as important, companies are expected “to disclose cybersecurity risks and incidents that are material to investors, including the concomitant financial, legal or reputational consequences.”
Those are worthwhile reminders, but the S. E.C.
pointed out that “an ongoing internal or external investigation — which often can be lengthy — would
not on its own provide a basis for avoiding disclosures of a material cybersecurity incident.”
also warns companies about the potential for insider trading when they learn about a breach,
which inevitably has a negative effect on the stock price once it is disclosed.
Agatha Christie’s fictional sleuth Miss Marple once said in a BBC adaptation
that “good advice is almost certain to be ignored, but that’s no reason for not giving it.” That may reflect how companies will respond to guidance recently issued by the Securities and Exchange Commission about how companies should deal with cybersecurity threats.
would like to end, but its guidance may not go very far in changing how companies deal with cybersecurity issues.
The Equifax breach, which affected more than 140 million people, came to the company’s attention in late July,
but the public didn’t learn of it until early September.
It cautioned that “companies would be well served by considering how to avoid the appearance of improper
trading during the period following an incident and prior to the dissemination of disclosure
The regulator tells companies that they need to have in place “disclosure controls and procedures
that provide an appropriate method of discerning the impact that such matters may have on the company and its business, financial condition and results of operations.” Just as important, companies are expected “to disclose cybersecurity risks and incidents that are material to investors, including the concomitant financial, legal or reputational consequences.”
Those are worthwhile reminders, but the S. E.C.
pointed out that “an ongoing internal or external investigation — which often can be lengthy — would
not on its own provide a basis for avoiding disclosures of a material cybersecurity incident.”
also warns companies about the potential for insider trading when they learn about a breach,
which inevitably has a negative effect on the stock price once it is disclosed.
Agatha Christie’s fictional sleuth Miss Marple once said in a BBC adaptation
that “good advice is almost certain to be ignored, but that’s no reason for not giving it.” That may reflect how companies will respond to guidance recently issued by the Securities and Exchange Commission about how companies should deal with cybersecurity threats.
would like to end, but its guidance may not go very far in changing how companies deal with cybersecurity issues.
The Equifax breach, which affected more than 140 million people, came to the company’s attention in late July,
but the public didn’t learn of it until early September.
It cautioned that “companies would be well served by considering how to avoid the appearance of improper
trading during the period following an incident and prior to the dissemination of disclosure