The U.S. Securities and Exchange Commission issued new guidance calling on public companies to be more forthcoming when disclosing cyber security risks within their organization, even before a breach or cyber-attack occurs.
The commission’s five members voted unanimously to approve the guidance, however, both democratic commissioners feel there needs to be more action taken by companies. These two members hope that this is just the first step towards defeating actors who use technology to threaten the United States.
In the guidance, the commission urged companies to create policies that allow them to quickly assess cyber security risks and decide when to tell the public, and also prevent executives, board members, and other corporate insiders from trading shares when they having important information that hasn’t been released to the public yet.
“Given the frequency, magnitude and cost of cybersecurity incidents, the commission believes that it is critical that public companies take all required actions to inform investors about material cybersecurity risks and incidents in a timely fashion, including those companies that are subject to material cyber security risks but may not yet have been the target of a cyber-attack,” the SEC said.
The SEC added that while companies are not required to disclose sensitive information that could compromise the company’s’ cyber security measures, they absolutely cannot use internal or law enforcement investigations as an excuse for not informing the public of the security incident, something that’s been done all the often in the past.
The SEC did not mention any specific security incidents in the guidance, but it does come just a few months after the massive Equifax data breach that impacts over 145 million individuals. Equifax was harshly criticized for how low they took to inform users about the incident that was one of the largest breaches of consumer private financial data in history. The Justice Department is also investigating Equifax for large sales of shares by executives made between when the company learned of the breach and when it became public.