The U.S. Securities and Exchange Commission (SEC) staff recently issued guidance concerning its views on disclosure obligations related to cybersecurity risks and cyber incidents. The SEC staff issued the guidance in response to a letter that SEC Chairman Mary Schapiro received in May 2011 from five U.S. Senators requesting that the SEC publish interpretive advice “clarifying the existing disclosure requirements pertaining to information security risk, including material information security breaches involving intellectual property or trade secrets.”

This guidance may be followed by additional legislative and regulatory action in light of the attention cybersecurity has received over the last several years. Some of these legislative or regulatory actions may even have an impact on the SEC disclosure obligations of public companies. For example, the Obama Administration presented draft legislation relating to cybersecurity to the Congress that would, among other things, require the chief executive and other executive officers of public companies to include a certification in their public SEC reports regarding their development and implementation of a cybersecurity plan for their companies and the effectiveness of the plan in mitigating identified cybersecurity risks.