On February 21, 2018, the Securities and Exchange Commission (SEC) approved an interpretive release updating guidance on public company disclosure and other obligations concerning cybersecurity matters. In large measure, the interpretive release, titled “Commission Statement and Guidance on Public Company Cybersecurity Disclosures” (Guidance), expands upon the Division of Corporation Finance’s 2011 CF Disclosure Guidance: Topic No. 2, Cybersecurity. The 2011 disclosure guidance was issued to assist companies in assessing what disclosures might be required about cybersecurity risks or incidents. The new Guidance goes beyond disclosure considerations by stressing the importance of cybersecurity policies and procedures and discussing the application of disclosure controls and procedures, insider trading prohibitions, and Regulation FD selective disclosure prohibitions. As Chairman Clayton noted in a statement about the new Guidance, he believes “that providing the Commission’s views on these matters will promote clearer and more robust disclosure by companies about cybersecurity risks and incidents, resulting in more complete information being available to investors.”
Going forward, cybersecurity likely will remain a potential area for future rulemaking given public interest in the topic generally and given the interest expressed by at least two of the SEC Commissioners in additional specific requirements with respect to cybersecurity matters. (See statements by Commissioners Stein and Jackson) In the near-term, companies should consider reviewing and refreshing their disclosures regarding oversight of cybersecurity risks and should consider reviewing their disclosure controls and procedures to make sure they capture cybersecurity matters.