The SEC Starts Talking About Cybersecurity


"Securing cyberspace is one of the most important and urgent challenges of our time." With these words in May 2011, Senator Jay Rockefeller, the Chairman of the Senate Commerce, Science and Transportation Committee, and four other Senators, called upon the Chairman of the Securities and Exchange Commission, Mary Schapiro, to develop and publish interpretive guidance clarifying existing disclosure requirements relating to cybersecurity risk. The Senators' letter stated that a substantial number of companies do not report this risk to investors. The Senators referred to a 2009 study by Hiscox, an insurance underwriter, that 38% of Fortune 500 companies made a "significant oversight" by not mentioning privacy or data security exposures in their public filings.

Chairman Schapiro, in the Commission's first official statement regarding the disclosure of cyber attacks, responded on June 6, 2011. Chairman Schapiro stated that existing disclosure requirements already impose a requirement that reporting companies disclose information regarding cyber security risk. The first requirement cited by the Chairman was Item 503(c) of Regulation S-K—Risk Factors — which requires disclosure of past and future cyber attacks or the effects of a cyber attack. The Chairman continued with her view, stating that the description of a company's business required by Item 101 would require disclosure if a company's trade secrets were compromised in a cyber attack; Item 103 could be implicated if there were pending material litigation relating to a company's customer database being attacked causing a release of personal information; and Item 303—MD&A — could also be implicated if the company's trade secrets were compromised resulting in operating costs and/or losses.

Please see full alert below for more information.

LOADING PDF: If there are any problems, click here to download the file.

Written by:

Published In:

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Jackson Walker | Attorney Advertising

Don't miss a thing! Build a custom news brief:

Read fresh new writing on compliance, cybersecurity, Dodd-Frank, whistleblowers, social media, hiring & firing, patent reform, the NLRB, Obamacare, the SEC…

…or whatever matters the most to you. Follow authors, firms, and topics on JD Supra.

Create your news brief now - it's free and easy »

All the intelligence you need, in one easy email:

Great! Your first step to building an email digest of JD Supra authors and topics. Log in with LinkedIn so we can start sending your digest...

Sign up for your custom alerts now, using LinkedIn ›

* With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name.