Federal | Agencies | Legislative
In light of the increasing significance of cybersecurity incidents, the Commission believes it is necessary to provide further Commission guidance. This interpretive release outlines the Commission’s views with respect to cybersecurity disclosure requirements under the federal securities laws as they apply to public operating companies. While the Commission continues to consider other means of promoting appropriate disclosure of cyber incidents, we are reinforcing and expanding upon the staff’s 2011 guidance. In addition, we address two topics not developed in the staff’s 2011 guidance, namely the importance of cybersecurity policies and procedures and the application of insider trading prohibitions in the cybersecurity context.
First, this release stresses the importance of maintaining comprehensive policies and procedures related to cybersecurity risks and incidents. Companies are required to establish and maintain appropriate and effective disclosure controls and procedures that enable them to make accurate and timely disclosures of material events, including those related to cybersecurity. Such robust disclosure controls and procedures assist companies in satisfying their disclosure obligations under the federal securities laws.
Second, we also remind companies and their directors, officers, and other corporate insiders of the applicable insider trading prohibitions under the general antifraud provisions of the federal securities laws and also of their obligation to refrain from making selective disclosures of material nonpublic information about cybersecurity risks or incidents.
The Commission, and the staff through its filing review process, continues to monitor cybersecurity disclosures carefully.
Secretary of Homeland Security Kirstjen M. Nielsen Statement on Cybersecurity for the Nation’s Election
Thursday, Feb. 15, 2018
Friday, Feb. 16, 2018
Saturday, Feb. 17, 2018
Today, the Council of Economic Advisers (CEA) released a report detailing the economic costs of malicious cyber activity on the U.S. economy. Please see below for the executive summary and read the full report here.
This report examines the substantial economic costs that malicious cyber activity imposes on the U.S. economy. Cyber threats are ever-evolving and may come from sophisticated adversaries. Due to common vulnerabilities, instances of security breaches occur across firms and in patterns that are difficult to anticipate. Importantly, cyberattacks and cyber theft impose externalities that may lead to rational underinvestment in cybersecurity by the private sector. Firms in critical infrastructure sectors may generate especially large negative spillover effects into the wider economy. Successful protection against cyber threats requires accurate data and cooperation across firms and between private and public sectors.
- • We estimate that malicious cyber activity cost the U.S. economy between $57 billion and $109 billion in 2016.
- • Malicious cyber activity directed at private and public entities manifests as denial of service attacks, data and property destruction, business disruption (sometimes for the purpose of collecting ransoms) and theft of proprietary data, intellectual property, and sensitive financial and strategic information.
- • Damages from cyberattacks and cyber theft may spill over from the initial target to economically linked firms, thereby magnifying the damage to the economy.
- • Firms share common cyber vulnerabilities, causing cyber threats to be correlated across firms. The limited understanding of these common vulnerabilities impedes the development of the cyber insurance market.
- • Scarce data and insufficient information sharing impede cybersecurity efforts and slow down the development of the cyber insurance market.
- • Cybersecurity is a common good; lax cybersecurity imposes negative externalities on other economic entities and on private citizens. Failure to account for these negative externalities results in underinvestment in cybersecurity by the private sector relative to the socially optimal level of investment.
- • Cyberattacks against critical infrastructure sectors could be highly damaging to the U.S. economy.