In 2011, the US Securities and Exchange Commission (SEC) issued guidance to public companies regarding cyberattack disclosures. Given that major data breaches have occurred since then–not to mention at the SEC itself–the commission has now updated its guidance.

Two of the five commission members feel that the updates are insufficient, according to Reuters: “Commissioner Robert Jackson said the new document ‘essentially reiterates years-old staff-level views on this issue. ‘And Commissioner Kara Stein said the new effort ‘does not sufficiently advance the ball.’”

Key takeaways from the SEC updates, according to The Hill:

  • Investors should be told about cybersecurity risks, even if the companies have not yet been targeted by cyberattackers.
  • Breaches should be disclosed in a timely manner.
  • Executives and others aware of a breach should not be allowed to trade in their company’s securities before news of a cyberattack is shared with the general public.

Read the full story at The Hill.