(Adds details on updated SEC guidance and attorney comments)
WASHINGTON, Feb 21 (Reuters) - The U.S. Securities and Exchange Commission on Wednesday updated guidance to public companies on how and when they should disclose cyber security risks and breaches, including potential weaknesses that have not yet been targeted by hackers.
The guidance also said company executives must not trade in a firm's securities while possessing nonpublic information on cyber security attacks. The SEC encouraged companies to consider adopting specific policies restricting executive trading in shares while a hack is being investigated and before it is disclosed.
The SEC, in unanimously approving the additional guidance, said it would promote "clearer and more robust disclosure" by companies facing cyber security issues, according to SEC Chairman Jay Clayton, a Republican.
Democrats on the commission reluctantly supported the guidance, describing it as a paltry step taken in the wake of a raft of high-profile hacks at major companies that exposed millions of Americans' personal information. They called for much more rigorous rulemaking to police disclosure around cyber security issues, or requiring certain cyber security policies at public companies.
Commissioner Robert Jackson said the new document "essentially reiterates years-old staff-level views on this issue," and pointed to analysis from the White House Council of Economic Advisers that finds companies frequently under-report cyber security events to investors.
The SEC first issued guidance in 2011 on cyber security disclosures.
"It may provide investors a false sense of comfort that we, at the Commission, have done something more than we have," Commissioner Kara Stein, another Democrat, said in a statement.
Significant breaches have included those at Equifax Inc. consumer credit reporting agency, and at the SEC itself.
The agency announced in September its corporate filing system, known as EDGAR, was breached by hackers in 2016 and may have been used for insider trading. The matter is under review.
The new guidance will mean that corporations disclose more information about cyber attacks and risks and take steps to ensure no insider trading can occur around those events, said several attorneys who advise businesses on the subject.
"This essentially creates a mandatory new disclosure category - cyber security risks and incidents," said Spencer Feldman, an attorney with Olshan Frome Wolosky LLP.
Craig A. Newman, a partner with Patterson Belknap Webb & Tyler LLP said the SEC guidance "makes clear that it doesnt want a repeat of the Equifax situation." (Reporting by Pete Schroeder and Jim Finkle; Editing by Grant McCool)