Blog

Updated Guidance on Cybersecurity Disclosures from the SEC

March 05, 2018

Close

Written By Ruth E. Promislow and Katherine Rusk

The U.S. Securities and Exchange Commission (SEC) published updated guidance on February 21, 2018, for how and when public companies should disclose cybersecurity risks and breaches. The SEC explains that the additional guidance is given “in light of the increasing significance of cybersecurity incidents.”

A significant element of the guidance is the requirement to disclose particulars of the extent of board risk oversight. In particular, companies must disclose how the board administers its oversight function and the effect this has on the board’s leadership structure. This requirement underscores the expectation that boards are in fact engaging with management on cybersecurity issues.

In addition to the above, companies are expected to make disclosure relating to cybersecurity. Highlights include the following:

Companies are encouraged “to adopt comprehensive policies and procedures related to cybersecurity and to assess their compliance regularly, including the sufficiency of their disclosure controls and procedures as they relate to cybersecurity disclosure.”

The guidance further sets out the requirement that public operating companies inform investors about cybersecurity risks and incidents in a timely fashion. This includes companies that have not yet been the target of a cyberattack but are subject to cybersecurity risks. More specifically, with respect to public operating companies, the guidance addresses two topics not developed in the 2011 guidance: required cybersecurity policies and procedures; and the prohibition of trading of a the company's securities by corporate insiders who are in possession of material non-public information related to cyber incidents.

The expanded SEC guidance underscores the inescapable reality that cybersecurity must be front of mind for all businesses, and in particular for directors.

Author

Related Links



View Full Mobile Experience