SEC Expands Guidance On Cybersecurity Risk Disclosures

King & Spalding

The Securities and Exchange Commission (“SEC”) recently issued a statement and guidance to assist public companies in adequately disclosing cybersecurity risks and incidents.  The new interpretive guidance, which became effective February 26, 2018, substantially expands on the SEC’s 2011 guidance on cybersecurity-related disclosures.

Recognizing the increasing frequency of cybersecurity incidents, the SEC’s new guidance finds that “it is critical that public companies take all required actions to inform investors about material cybersecurity risks and incidents in a timely fashion, including those companies that are subject to material cybersecurity risks but may not yet have been the target of a cyber-attack.”  Thus, the new guidance emphasizes that companies must assess the materiality of any cybersecurity incidents that may occur, as well as any existing cyber related risks when it prepares and files disclosures pursuant to securities laws.

The SEC further advises that the materiality of cybersecurity risks or incidents depends on their “nature, extent, and potential magnitude,” in addition to the range of harm that an incident could cause to a company’s operations and reputation.  Companies must put adequate disclosure controls in place to ensure accurate and timely disclosure of any material events or risks relating to cybersecurity, taking into consideration, among other factors: (i) prior cybersecurity incidents, (ii) company-specific data or operations that create unique risks, (iii) the probability and potential magnitude of an incident, and (iv) costs relating to cybersecurity risks and protections, including applicable cyber insurance.

While material cybersecurity risks and incidents must be disclosed, the SEC reaffirmed its statement from its 2011 cybersecurity guidance that companies are not required to—and should not—provide a “roadmap” for cyber criminals to use to exploit a company’s cyber defenses.  Accordingly, disclosure of specific, technical descriptions of system vulnerabilities is not required.
The SEC’s new guidance also stresses the importance of establishing appropriate internal controls to ensure that corporate insiders do not trade company stock on the basis of material nonpublic information relating to a company’s cybersecurity risks.  In particular, when a company is in the process of investigating a potential cybersecurity incident, the SEC advises that companies should place restrictions on insider trading to avoid any potential improper trading between the time the incident is identified and when details of the incident can be properly disclosed to the public.

Written by:

King & Spalding

King & Spalding on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.