Cybersecurity Risks and Events Receive SEC Attention—Disclosure Guidance From Corp Fin


The US Securities and Exchange Commission’s Division of Corporate Finance (“Corp Fin”) recently released guidance regarding the obligation of a publicly traded company or issuer to disclose cybersecurity risks and incidents. Written in response to the increased evidence of concerted, targeted cyber attacks, Corp Fin’s issued guidance outlines disclosure considerations and recommends release of information to the market under certain circumstances. The risks associated with cyber penetration could affect financial statements, assessment of controls by management and independent auditors, and certifications required by Sarbanes-Oxley (“SOX”).

This new guidance on issuers’ disclosure obligations related to cybersecurity threats and incidents introduces additional issues for management to consider and presents new potential risks for management. Existing disclosure rules do not explicitly address cybersecurity. Nevertheless, this new guidance may impose obligations on issuers to disclose material information concerning cybersecurity risks and incidents, in order to make other disclosures, in light of circumstances under which they are made, not misleading or false. As with other operational and financial risks, issuers must review the adequacy of their disclosures related to cybersecurity risks and incidents. This guidance is similar to Corp Fin’s interpretive guidance concerning disclosure of climate change matters in so far as it does not create new disclosure standards, but instead emphasizes what Corp Fin wants issuers to consider.

Please see full alert below for more information.

LOADING PDF: If there are any problems, click here to download the file.