Last week, the Securities and Exchange Commission (SEC) unanimously adopted new cybersecurity guidance aimed at assisting public companies in their preparation of cybersecurity risk and incident disclosures. In its new Statement and Interpretive Guidance on Public Company Cybersecurity Disclosures, the SEC is aiming to apply lessons learned from the many major data security incidents that have occurred since the Commission first issued cybersecurity guidance in 2011. The 2011 Guidance was some of the first of its kind as almost no guidance relating to disclosure requirements and cybersecurity issues existed at the time. The updated Guidance serves to provide the SEC’s views on public companies’ disclosure obligations as they relate to data breaches and other cybersecurity incidents.
The new Guidance encourages public companies to be transparent and disclose any potential cybersecurity risks before breaches or attacks occur. To make such pre-breach risk disclosure possible, the Guidance suggests that companies develop robust cybersecurity risk assessment policies. The Guidance also cautions companies to prevent executives or other insiders from trading company shares during the internal investigation of a data security incident or before such information is made available to the public. This prohibition on trading is specifically directed to curb behaviors such as those evident during one 2017 date breach involving a major credit-reporting agency.
Likewise, the SEC’s requirement that companies avoid delays in disclosing breaches comes on the heels of recent major incidents where companies took months, or in some cases years, to disclose that a breach had even occurred. Notably, the Guidance also prohibits companies from using internal or law enforcement investigations as a means of hiding the occurrence of a breach from public disclosure.
The SEC, however, does not specifically illustrate in the new Guidance the type of disclosures that it would consider “robust enough,” with some critics arguing that the Guidance’s requirements do not go far enough to encourage the creation of stronger cybersecurity policies. Whether this new Guidance does indeed result in more companies becoming better prepared for data security incidents remains to be seen; however, the unanimous adoption of the guidance does suggest that the SEC recognizes a need to continue to evaluate how cybersecurity risks are changing the ways in which public companies operate and how their disclosures should account for these risks and illustrate their preparedness to handle cybersecurity incidents.
You can find the SEC’s official announcement and the full text of the Guidance here.