SEC Issues New Guidance on Cybersecurity Disclosures

John Jennings, Charles Vaughn
Nelson Mullins Riley & Scarborough LLP
Contact
LinkedIn
Facebook
X
Send
Embed

Nelson Mullins Riley & Scarborough LLP

On February 21, 2018, the Securities and Exchange Commission issued new guidance on public company disclosure obligations with respect to matters involving cybersecurity risk and incidents.  The new guidance also addresses the importance of cybersecurity policies and procedures and the application of disclosure controls and procedures, insider trading prohibitions, and selective disclosure prohibitions in the cybersecurity context.

Most of the new guidance reinforces and expands previous guidance issued by the SEC’s Division of Corporation Finance in 2011, which gave the Division’s views regarding disclosure obligations that relate to cybersecurity risks and incidents.  In particular, as in the 2011 guidance, the new guidance notes that cybersecurity disclosures should be non-generic and tailored to a company’s particular circumstances and may be required in sections of public filings addressing Risk Factors, MD&A, Description of Business, Legal Proceedings and Financial Statement Disclosures.  

The new guidance notes that the materiality of cybersecurity risks and incidents depends in large part on the range of harm that such incidents could cause, including harm to a company’s reputation, financial performance, and customer and vendor relationships, as well as the possibility of litigation or regulatory investigations or actions.

The SEC itself, not the Division of Corporation Finance, issued the new guidance.  The new guidance also addresses some new areas, including the following:

  • Board Oversight.  The new guidance advises public companies to disclose the role of its board of directors in cyber risk management, at least where cyber risks are material to the company’s business.
  • Disclosure Controls and Procedures.  The new guidance encourages public companies to have proper controls in place that (a) ensure important cyber risk and incident information is elevated to senior management and (b) enable informed disclosure decisions.
  • Insider Trading and Selective Disclosures.  The new guidance reminds public companies that cyber risks and incidents may constitute material non-public information implicating insider trading laws and Regulation FD.

The SEC’s statement, along with a link to the new guidance, is available at: https://www.sec.gov/news/press-release/2018-22.

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Nelson Mullins Riley & Scarborough LLP | Attorney Advertising

Written by:

Nelson Mullins Riley & Scarborough LLP
Nelson Mullins Riley & Scarborough LLP
Contact
more
less

Nelson Mullins Riley & Scarborough LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide