In House - The FindLaw Corporate Counsel Blog

New SEC Rules on Public Companies' Cybersecurity

With companies being hacked virtually every day, the Securities and Exchange Commission released guidelines for them to take more security measures.

The Equifax cyberattack, in particular, pushed the agency to publish the new cybersecurity standards. The credit reporting agency failed to report a cyber breach that exposed about 145 million consumer records, even as some company executives sold off their shares before disclosing the breach.


The SEC guidelines emphasize the losses that come from cyberattacks, highlighting the duties companies have to protect consumers and shareholders. "Substantial costs" and "other negative consequences" include:

  • Remediation costs, such as stolen assets or information
  • Cybersecurity costs, including organizational changes and protection technologies
  • Lost revenues from unauthorized use of proprietary information
  • Litigation and legal risks, including regulatory action by state and federal authorities

The agency outlined the losses, and then told companies what they have to do to prevent them.

"I urge public companies to examine their controls and procedures, with not only their securities law disclosure obligations in mind, but also reputational considerations around sales of securities by executives," said SEC Chairman Jay Clayton.


Companies cannot hide their cybersecurity issues, the commission said.

"[T]he Commission believes that it is critical that public companies take all required actions to inform investors about material cybersecurity risks and incidents in a timely fashion, including those companies that are subject to material cybersecurity risks but may not yet have been the target of a cyber-attack," the report says.

Not all the commission members were happy with the report, saying it didn't go far enough. No one mentioned, however, that the SEC failed to disclose when it was hacked a year or so ago.

Related Resources: