On February 21, the Securities and Exchange Commission published interpretive guidance to assist public companies in preparing disclosures about cybersecurity risks and incidents. The Commission’s release follows shorter cybersecurity “disclosure guidance” issued in 2011 by the staff of the SEC’s Division of Corporation Finance. The new guidance was prompted by the agency’s concern over the increase in the risks and frequency of data breach incidents and other cyber-attacks affecting public companies. The Commission’s release addresses many of the matters raised in the staff’s guidance, while expanding the discussion to cover additional disclosure and compliance considerations. In this post, we provide an overview of the guidance and a link to our more detailed analysis.
Earlier this year, the National Association of Corporate Directors released an updated version of its Director’s Handbook on Cyber-Risk Oversight. The NACD’s issuance of an update to its Handbook in just three years signals that cybersecurity-related governance expectations of companies and directors are evolving. While the use of and compliance with the Handbook is not mandatory, the Handbook is influential in shaping governance practices and thus it is prudent for those involved in corporate governance to familiarize themselves with the changes.
On October 13 the Division of Corporate Finance at the US Securities and Exchange Commission issued a Disclosure Guidance that for the first time advises registrants — public companies — to evaluate their cybersecurity risks and, if deemed material, to disclose such risks to investors. This Guidance is likely to lead to public companies performing formal and detailed assessments of the cybersecurity risks, and may lead to shareholder litigation following data security breaches with claims that a company failed to perform the assessment and disclose the risks recommended in the Guidance for complaince with securities disclosure laws.
The Securities and Exchange Commission (SEC) announced yesterday that three former executives of GunnAllen Financial, Inc., a Tampa-based broker-dealer, agreed to settle charges that they had violated Regulation S-P by failing to protect confidential information about their customers. This action marked the first time that the SEC had assessed financial penalties against individuals charged solely with violations of Regulation S-P, which requires broker-dealers, investment advisers, and other financial institutions under the SEC’s jurisdiction to protect their customers’ nonpublic personal information and to provide their customers the right to opt out of having their information shared with unaffiliated third parties.