Crown image Columbia Law School

SEC Releases Guidance on Disclosing Cybersecurity Risks and Incidents

On February 20, the Securities and Exchange Commission approved the issuance of an interpretive release, available here, to provide guidance to public companies when preparing disclosures about cybersecurity risks and incidents.  The release also communicates the Commission’s views on the importance of maintaining comprehensive policies and procedures related to cybersecurity risks and incidents.

In today’s environment, cybersecurity is critical to the operations of companies and our markets.  Companies increasingly rely on and are exposed to digital technology as they conduct their business operations and engage with their customers, business partners, and other constituencies.  This reliance on and exposure to our digitally-connected world presents ongoing risks and threats of cybersecurity incidents for all companies, including public companies regulated by the Commission.  Public companies must stay focused on these issues and take all required action to inform investors about material cybersecurity risks and incidents in a timely fashion.

In 2011, the Division of Corporation Finance issued guidance that provided the Division’s views regarding disclosure obligations that relate to cybersecurity risks and incidents.  Yesterday, the Commission voted to provide guidance to public companies that reinforces and expands the Division’s prior guidance.  The guidance highlights the disclosure requirements under the federal securities laws that public operating companies must pay particular attention to when considering their disclosure obligations with respect to cybersecurity risks and incidents.  It also addresses the importance of policies and procedures related to disclosure controls and procedures, insider trading, and selective disclosures.  I believe that providing the Commission’s views on these matters will promote clearer and more robust disclosure by companies about cybersecurity risks and incidents, resulting in more complete information being available to investors.  In particular, I urge public companies to examine their controls and procedures, with not only their securities law disclosure obligations in mind, but also reputational considerations around sales of securities by executives.

There is no doubt that the cybersecurity landscape and the risks associated with it continue to evolve.  I have asked the Division of Corporation Finance to continue to carefully monitor cybersecurity disclosures as part of their selective filing reviews.  We will continue to evaluate developments in this area and consider feedback about whether any further guidance or rules are needed.

I would like to thank the staff for their dedication and thoughtful work on this interpretive release.  It reflects input from the Divisions of Corporation Finance, Enforcement, and Economic and Risk Analysis, and the Offices of the General Counsel and Chief Accountant.  Specifically, I would like to thank Bill Hinman, David Fredrickson, Jim Daly, Tamara Brightwell, Lilyanna Peyser, Jacqueline Kaufman, Mike Reedich, Bryant Morris, Luna Bloom, Laura Jarsulic, and Joe Brenner.  I also want to thank my fellow Commissioners and their staff for their engagement and input on this important issue.

This post is based on a statement issued on February 21, 2018, by Jay Clayton, chairman of the U.S. Securities and Exchange Commission, in Washington, D.C. The original statement is available here.

Leave a Reply

Your email address will not be published. Required fields are marked *