The U.S. Securities and Exchange Commission (SEC) Division of Corporate Finance released a set of guidelines this month on breach disclosure obligations. The CF Disclosure Guidance Document is not a new set of rules or regulations but rather a set of suggestions offered to companies struggling to decide when and what to say regarding a potential security breach to investors.
Although there is no explicit requirement in federal securities laws to disclose cybersecurity risks and incidents, the Guidance implies that disclosure of incidents would ethically fall within the normal disclosure of 'timely, comprehensive, and accurate information about risks and events that a reasonable investor would consider important to an investment decision.'
The SEC suggests that companies evaluate their cybersecurity risks, including prior incidents, in order to determine if they must disclose information. The SEC would like to see companies discuss possible risks, consequences of those risks, as well as the steps being taken to counter those risks. Read more here.