«[T] he Commission believes that it is critical that public companies take all required actions to inform investors about
material cybersecurity risks and incidents in a timely fashion,» the report states, «including those companies that are subject to
material cybersecurity risks but may not yet have been the target of a cyber-attack.»
The United States Securities and Exchange Commission (SEC) recently published updated interpretative guidance concerning the duty of covered public companies to disclose certain
material cybersecurity risks and incidents when filing with the SEC.
For example, in the US, the Securities and Exchange Commission has affirmed the importance of including
cybersecurity processes and events in a public company's disclosure of
risk factors and
material events.
The report must (1) assess the confidentiality, integrity and availability of the company's Information Systems, (2) detail exceptions to the company's
cybersecurity procedures and policies, (3) identify cyber risks to the company, (4) assess the effectiveness of the company's cybersecurity program, (5) propose steps to remediate any inadequacies identified in the company's cybersecurity program, and (6) include a summary of all material Cybersecurity Events that affected the company during the time period addressed b
cybersecurity procedures and policies, (3) identify cyber
risks to the company, (4) assess the effectiveness of the company's
cybersecurity program, (5) propose steps to remediate any inadequacies identified in the company's cybersecurity program, and (6) include a summary of all material Cybersecurity Events that affected the company during the time period addressed b
cybersecurity program, (5) propose steps to remediate any inadequacies identified in the company's
cybersecurity program, and (6) include a summary of all material Cybersecurity Events that affected the company during the time period addressed b
cybersecurity program, and (6) include a summary of all
material Cybersecurity Events that affected the company during the time period addressed b
Cybersecurity Events that affected the company during the time period addressed by the report.