The SEC posted today an interpretive release regarding its latest guidance public companies’ disclosure obligations under existing law with respect to matters involving cybersecurity risk and incidents. It also addresses the importance of cybersecurity policies and procedures and the application of disclosure controls and procedures, insider trading prohibitions, and Regulation FD and selective disclosure prohibitions in the cybersecurity context.
The timing of the release was a bit unusual. Initially, the SEC was scheduled to consider the guidance at an open meeting on February 21st. It abruptly cancelled the meeting and instead put out a press release saying the interpretive guidance had been approved on February 20th. Sounds like the SEC may be having its own issues with disclosure controls and procedures!