Originally published by Bloomberg Finance L.P. in the Vol.6, No. 12 edition of the Bloomberg Law Reports—Securities Law.

The Facebook, Inc. (Facebook) initial public offering last month was probably the most anticipated IPO filing of the 21st century. In its S-1 filing with the U.S. Securities and Exchange Commission (SEC) – the first step on any company’s journey to becoming a publicly traded company – Facebook has set the bar for S-1 disclosure in the areas of cybersecurity and privacy risks.

Less than four months before Facebook’s S-1 filing, the SEC’s Division of Corporation Finance (Division) issued informal guidance regarding public companies’ disclosure of cybersecurity risks and cyber incidents (Cybersecurity Guidance). The Cybersecurity Guidance did not create any new disclosure requirements, but rather clarified existing law in an effort to better educate the ever-growing group of companies that face cybersecurity risks and cyber incidents in their businesses.