SEC Releases Updated Cybersecurity Guidance


The U.S. Securities and Exchange Commission on Feb. 21, 2018, issued interpretive guidance on public company cybersecurity disclosures.

The new guidance will affect public companies and companies seeking to go public in three key areas:

Disclosure in periodic reports and registration statements Maintenance of disclosure controls and public reporting processes Impact on insider trading procedures Background

Cybersecurity has been an area of focus by the SEC for several years. The most recent formal statement from the SEC was provided by the Division of Corporation Finance in 2011. That guidance stressed the obligation for reporting companies to make appropriate disclosures regarding the risk of cybersecurity events, and in particular the consequences of any events that have occurred.

Recent commentary by senior officials indicate that cybersecurity matters have become an area of increased focus for the SEC. For example, in September 2017, SEC Chairman Jay Clayton issued a statement highlighting the importance of cybersecurity to the agency and market participants and detailing the agency's approach to cybersecurity as an organization and as a regulatory body.1 We believe that the release of the new guidance indicates that cybersecurity will be an area of increased focus by the SEC in its review of periodic reports and registration statements.

The new guidance does not create specific new disclosure obligations and largely covers the same disclosure topics as the prior guidance, offering similar recommendations. However, the fact that the SEC issued this guidance suggests this will be an area of increased focus. In addition, the new guidance notes that it addresses two topics not covered in the prior guidance: maintenance of effective disclosure controls and procedures (DCPs)2 to enable accurate and timely disclosure of material cybersecurity events and insider trading implications of the occurrence of cybersecurity events.


Disclosure in Registration Statements and Periodic Reports

While the prior guidance focused on the need to address the risks and costs of cybersecurity considerations, the focus was largely on disclosure required after a cybersecurity event occurred. For example, it noted that discussion in a risk factor to the effect that a cyberattack may occur would likely be insufficient disclosure for a company that had experienced a material cyberattack. In such a case, to put the risk discussion in appropriate...

To continue reading