Sarbanes Oxley Act (SOX Act)
The Sarbanes Oxley Act of 2002, or SOX Act, is a US federal law establishing a variety of auditing and financial regulations for public companies.
Interpretive guidance from the US Securities and Exchange Commission (SEC) states that companies may be obligated under the law to disclose cybersecurity risks and incidents, and outlines the conditions under which such disclosures must take place.
In particular, companies are required to engage in cybersecurity disclosures when these risks or incidents are material to investors as the result of potential financial, legal, or reputational consequences.
The guidance also instructs companies to put in place controls and procedures to ensure that cybersecurity risks and incidences are properly disclosed, appropriately documented, and reflective of factual circumstances.