Sarbanes Oxley Act (SOX Act)
The Sarbanes Oxley Act of 2002, or SOX Act, is a US federal law establishing a variety of auditing and financial regulations for public companies.
Interpretive guidance from the US Securities and Exchange Comission (SEC) states that companies may be obligated under the law to disclose cybersecurity risks and incidents and outlines the conditions under which such disclosures must take place.
In particular, companies are required to engage in cybersecurity disclosures when these risks or incidents are material to investors as the result of potential financial, legal, or reqputational consequences.
The guidance also instructs companies to put in place controls and procedures to ensure that disclosures of cybersecurity risks and incidences are properly made, appropriately documented, and reflective of factual circumstances.