SEC urges clearer disclosures about cybersecurity risks

Updated guidance offers suggestions on how and when public companies should disclose breaches and risks.

Steven Musil Night Editor / News

Steven Musil is the night news editor at CNET News. He's been hooked on tech since learning BASIC in the late '70s. When not cleaning up after his daughter and son, Steven can be found pedaling around the San Francisco Bay Area. Before joining CNET in 2000, Steven spent 10 years at various Bay Area newspapers.

Expertise I have more than 30 years' experience in journalism in the heart of the Silicon Valley.

See full bio

Steven Musil

Feb. 21, 2018 3:47 p.m. PT

2 min read

The US Securities and Exchange Commission on Wednesday issued new guidance on how and when public companies should disclose cybersecurity risks and breaches.

The "interpretive guidance" document (PDF) urges informing investors of risks in a timely fashion, including vulnerabilities that have not yet been targeted by hackers. The guidance also says executives should refrain from trading in the company's stock while in possession of nonpublic information about significant cybersecurity attacks.

The commission, which unanimously approved the updated guidance, believes the document will help "promote clearer and more robust disclosure by companies about cybersecurity risks and incidents, resulting in more complete information being available to investors," SEC Chairman Jon Clayton said in a statement.

The commission's guidance comes amid a surge in wide-reaching cybersecurity hacks and vulnerabilities, including one last year at Equifax in which cybercrooks stole a treasure trove of personal information from as many as 143 million people in the US. The credit-monitoring firm said it learned of the massive hack in July, but it waited until September -- more than a month -- to reveal it publicly.

Three days after the company discovered the breach, nearly $1.8 million in stock trades were made by Equifax executives, including the company's chief financial officer. The company has said the stock sales were pre-scheduled, but the US Justice Department has reportedly opened a criminal investigation into the trades.

Earlier this year, Intel CEO Brian Krzanich acknowledged selling hundreds of thousands of Intel shares in November, based on a plan filed in October, both months after the company learned of the vulnerabilities in its chips. But the stock sale was unrelated, Intel said.

Security: Stay up-to-date on the latest in breaches, hacks, fixes and all those cybersecurity issues that keep you up at night.

Blockchain Decoded: CNET looks at the tech powering bitcoin -- and soon, too, a myriad services that will change your life.