On February 21, the SEC issued a statement and interpretive guidance to assist public companies in preparing disclosures about cybersecurity risks and incidents. This new guidance reinforces and expands upon guidance issued by the SEC’s Division of Corporation Finance in 2011. Two particular areas of focus are (1) the importance of cybersecurity policies and procedures and (2) the application of insider trading prohibitions in the cybersecurity context.
For more on the new cybersecurity guidance, see this article by Sten-Erik Hoidal, co-chair of Fredrikson & Byron’s Data Protection & Cybersecurity Group. Hoidal concludes his analysis by offering three key takeaways:
- If nothing else, the guidance provides further evidence that the SEC is concerned about cybersecurity and, in particular, disclosures relating to cybersecurity risks and incidents. Public companies should (1) assess their existing disclosure controls and procedures for consistency with the guidance and (2) ensure that future disclosures are appropriately tailored to disclose material cybersecurity risks and incidents. They should also be mindful of their ongoing duty to correct and update prior disclosures.
- The guidance makes clear that it expects boards to be informed decision makers when it comes to cybersecurity risks and incidents. Public companies should implement appropriate procedures to ensure that information about risks and incidents is disseminated appropriately to management and directors and, if appropriate, should consider cybersecurity training for board members.
- Public companies should review and revise insider trading policies and codes of ethics to ensure they will restrict the ability of insiders to trade on information about nonpublic cybersecurity risks and incidents, particularly incidents that are under investigation.