On February 21, the Securities and Exchange Commission issued new Interpretive Guidance regarding disclosures of cybersecurity-related information by publicly traded companies. This guidance comes in the context of public pressure on the SEC to update its 2011 Division of Corporation Finance guidance regarding cybersecurity risks and incidents. According to SEC Chairman Jay Clayton’s statement, this new document serves to reinforce and expand the prior guidance. It lays out principles that companies should follow in determining when cybersecurity information should be disclosed, and what should be disclosed.
The guidance also focuses on the need for companies to develop disclosure controls and procedures, to allow them to responsibly discern the impact that cybersecurity risks or events may have on the company and determine whether they are material to investors. It also emphasized the Commission’s view that directors, officers and other persons in positions of high-level responsibility need to be informed about the cybersecurity risks and incidents that a company encounters.
Putting It Into Practice: The new guidance does not so much break new ground as re-emphasize and reinforce existing principles. Indeed, SEC Commissioner Kara Stein criticized it for not going far enough to respond to cybersecurity risks and the need for public companies to disclose them. However, if you work for a public company facing cybersecurity risk, or you advise one, the new guidance contains useful principles and examples to consider in determining what information your company should disclose, when to do so, and how to avoid allegations of insider trading on cybersecurity information that is not yet public. The document also signals growing vigilance by the SEC in policing public company behavior relating to cybersecurity.