On February 21, 2018, the Securities and Exchange Commission (“SEC”) published interpretive guidance on public company cybersecurity disclosures. While the new guidance confirms the SEC’s intensified focus on cybersecurity disclosures, by the SEC’s own characterization, it primarily reinforces and somewhat expands upon guidance previously issued by the SEC staff in October 2011. In fact, much of the language included in this new guidance tracks word for word with the staff’s 2011 guidance. The SEC’s five commissioners voted unanimously to issue the guidance, but the support of two commissioners was given with reservation based on their view that these “reminders” do not raise the bar on disclosure to the necessary level and leave much more to be done by the SEC on the topic.
Notable differences to the 2011 guidance include:
..Elevated significance from staff guidance to Commission-level guidance;
..Inclusion of a discussion on disclosure regarding the board of directors’ role in risk oversight of cybersecurity;
..Enhanced focus on disclosure controls and procedures as they relate to cybersecurity; and
..Considerations with respect to insider trading laws and selective disclosure under Regulation FD raised by cybersecurity incidents.
Please see full Alert below for more information.