On February 21, 2018, the Securities and Exchange Commission issued new guidance on public company disclosure obligations with respect to matters involving cybersecurity risk and incidents. The new guidance also addresses the importance of cybersecurity policies and procedures and the application of disclosure controls and procedures, insider trading prohibitions, and selective disclosure prohibitions in the cybersecurity context.
Most of the new guidance reinforces and expands previous guidance issued by the SEC’s Division of Corporation Finance in 2011, which gave the Division’s views regarding disclosure obligations that relate to cybersecurity risks and incidents. In particular, as in the 2011 guidance, the new guidance notes that cybersecurity disclosures should be non-generic and tailored to a company’s particular circumstances and may be required in sections of public filings addressing Risk Factors, MD&A, Description of Business, Legal Proceedings and Financial Statement Disclosures.
The new guidance notes that the materiality of cybersecurity risks and incidents depends in large part on the range of harm that such incidents could cause, including harm to a company’s reputation, financial performance, and customer and vendor relationships, as well as the possibility of litigation or regulatory investigations or actions.
The SEC itself, not the Division of Corporation Finance, issued the new guidance. The new guidance also addresses some new areas, including the following:
- Board Oversight. The new guidance advises public companies to disclose the role of its board of directors in cyber risk management, at least where cyber risks are material to the company’s business.
- Disclosure Controls and Procedures. The new guidance encourages public companies to have proper controls in place that (a) ensure important cyber risk and incident information is elevated to senior management and (b) enable informed disclosure decisions.
- Insider Trading and Selective Disclosures. The new guidance reminds public companies that cyber risks and incidents may constitute material non-public information implicating insider trading laws and Regulation FD.
The SEC’s statement, along with a link to the new guidance, is available at: https://www.sec.gov/news/press-release/2018-22.