On February 21, the Securities and Exchange Commission (SEC) published interpretive guidance to assist public companies in preparing disclosures about cybersecurity risks and incidents. The Commission’s release follows shorter cybersecurity “disclosure guidance” issued in 2011 by the staff of the SEC’s Division of Corporation Finance. The new guidance was prompted by the agency’s concern over the increase in the risks and frequency of data breach incidents and other cyber-attacks affecting public companies. The Commission’s release addresses many of the matters raised in the staff’s guidance, while expanding the discussion to cover additional disclosure and compliance considerations.
The Commission’s release does not propose new rules or rule amendments that would impose new requirements, but rather expresses the Commission’s views within the existing disclosure framework. The new guidance nevertheless deserves careful study, because it represents a comprehensive statement of the Commission’s perspective on the obligation of companies to inform investors about material cybersecurity risks and incidents in a timely fashion. Based on experience with the 2011 guidance, the SEC staff can be expected to refer to the new release in evaluating cybersecurity disclosures – or the absence of such disclosures – by companies whose filings it selects for review.
The Commission’s release does not address the specific implications of cybersecurity for entities regulated under the federal securities laws, such as registered investment companies, investment advisers, brokers, dealers, exchanges, and self-regulatory organizations. The SEC staff previously has issued guidance on cybersecurity measures for some of these entities.
The Commission’s release is available here.
In this post, we provide an overview of the guidance and a link to our more detailed analysis.
As discussed in the SEC Update we issued in October 2011, the SEC staff’s guidance outlined the staff’s views on how companies should describe cybersecurity matters and their potential effects under existing disclosure rules, and in particular in response to specified items of Regulation S-K. The staff also highlighted the manner in which cybersecurity matters may affect financial statement disclosure.
In identifying contexts in which companies may need to disclose cybersecurity risks and incidents, the staff indicated that it had designed its guidance “to be consistent with the relevant disclosure considerations that arise in connection with any business risk.” The Commission’s guidance broadens that discussion to address assessments of materiality, a company’s possible duty to correct or update cybersecurity disclosures, and disclosure concerning board oversight of cybersecurity risks. The new guidance also directs attention to related areas of regulatory concern, including:
- The adequacy of disclosure controls and procedures for identifying and assessing the impact of cybersecurity risks and incidents
- The application of trading prohibitions to corporate insiders when a cybersecurity risk or incident that may be material has not been publicly disclosed
- Compliance with Regulation FD to avoid selective disclosure of a material cybersecurity risk or incident
To read our full analysis, click here.