The Guidance addresses a public company’s obligation to make certain disclosures concerning cybersecurity risks and cyber incidents.

On October 13, 2011, the Division of Corporation Finance of the U.S. Securities and Exchange Commission (SEC) issued “CF Disclosure Guidance: Topic No. 2 – Cybersecurity” (the Guidance), regarding a public company’s obligation to make certain disclosures concerning cybersecurity risks and cyber incidents. The SEC issued the Guidance in apparent response, at least in part, to a letter to the SEC signed earlier this year by five U.S. senators inviting SEC guidance on the topic. Signatories included U.S. Senators John D. Rockefeller, Sheldon Whitehouse, Richard Blumenthal, Robert Menendez and Mark Warner. The senators’ letter pointed to, among other things, a 2009 survey in which Hiscox, a cyber-insurance underwriter, found that 38 percent of public companies did not adequately report information about security risks in public disclosures.