On February 21, 2018, the U.S. Securities and Exchange Commission (SEC) released its latest Interpretive Guidance on Public Company Cybersecurity Disclosures. Although cybersecurity has been a focus of the SEC for many years, the release is the first formal guidance issued by the agency. Previously, the SEC’s Division of Corporation Finance issued informal staff guidance in 2011, which we discussed in a past WSGR Alert.
The SEC’s new guidance largely adopts the 2011 informal guidance, which focused on companies’ obligations to disclose material cybersecurity risks and costs, including in annual reports. The new guidance re-emphasizes the necessity of making material disclosures in 10-Ks and other appropriate forms, including in statements regarding companies’ business and operations, risk factors, legal proceedings, management’s discussion and analysis of financial condition and results of operations, financial statements, disclosure controls and procedures, and corporate governance.
The new guidance also highlights two specific issues raised by cybersecurity incidents: (1) whether companies have sufficient disclosure controls regarding cybersecurity risks and attacks; and (2) ensuring that directors and officers do not engage in trading between the time that cybersecurity incidents are discovered and before they are publicly disclosed to investors.
Click here to view our complete WSGR Alert discussing the new guidance.