SEC’s Updated Cybersecurity Disclosure Guidelines Leave Questions Unanswered

by Ifrah PLLC

As previewed in our previous post, the United States Securities and Exchange Commission (“SEC”) unanimously approved new cybersecurity interpretive guidance—a format used to clarify the SEC’s views on security laws and regulations—on Wednesday of last week. The guidelines make no mention of how they affect and interplay with other regulators’ data privacy requirements, so whether compliance with these guidelines absolves companies of liabilities is a crucial question left for another day.

The new SEC guidance builds on a 2011 SEC report on the same topic and calls for public companies to be more transparent regarding their cybersecurity risks—both before and after an attack. The guidance encourages public companies to implement policies that allow them to quickly assess cybersecurity risks and decide when to tell the public.

“Given the frequency, magnitude and cost of cybersecurity incidents, the Commission believes that it is critical that public companies take all required actions to inform investors about material cybersecurity risks and incidents in a timely fashion,” the report states, “including those companies that are subject to material cybersecurity risks but may not yet have been the target of a cyber-attack.” While companies are not required to make public sensitive information that could compromise their cybersecurity protections, the SEC guidance states that they also cannot use internal or law enforcement investigations as an excuse for not informing the public:

“We also recognize that it may be necessary to cooperate with law enforcement and that ongoing investigation of a cybersecurity incident may affect the scope of disclosure regarding the incident. However, an ongoing internal or external investigation—which often can be lengthy—would not on its own provide a basis for avoiding disclosures of a material cybersecurity incident.”

The SEC guidance also makes clear that it does not want a repeat of the Equifax situation, an instance in which concerns about insider trading emerged last year after Equifax Inc. revealed several executives had sold shares in the days between the company’s discovery of a breach and its disclosure. An Equifax board review found no wrongdoing, but many, including the SEC, were disturbed by the chain of events. Thus, the 2018 guidance encourages public companies to create polices that prevent corporate insiders from trading shares when they have important nonpublic information regarding cyber incidents.

“I believe that providing the Commission’s views on these matters will promote clearer and more robust disclosure by companies about cybersecurity risks and incidents, resulting in more complete information being available to investors, SEC Chairman Jay Clayton said in a statement. Democratic commission members Kara Stein and Robert Jackson, however, were less optimistic in their separately-issued statements in which they lamented the limited action taken by the SEC’s new guidance.

Commissioner Jackson wrote that “I reluctantly support today’s guidance in the hope that it is just the first step toward defeating those who would use technology to threaten our economy.” Jackson further stated the new guidance “essentially reiterates years-old staff-level views on the issue,” and referenced a recent report from the White House Council of Economic Advisers that found companies frequently underreport cybersecurity events to investors.

Calling the guidance “far from robust,” Stein argued that the new interpretation is largely redundant of the SEC’s 2011 guidance. Quoting a 2014 study, she stated the 2011 guidance “resulted in a series of disclosures that rarely provide differentiated or actionable information for investors.” “It may provide investors a false sense of comfort that we, at the Commission, have done something more than we have,” Stein said.

In their statements, both Stein and Jackson suggest various initiatives the SEC could take to protect investors on cybersecurity issues: more rigorous rulemaking to police disclosure around cybersecurity issues, requiring certain cybersecurity policies at public companies, the creation or improvement of incentives and penalties to motivate firms to increase their cybersecurity infrastructure, and/or deeper analysis of the impact of the 2011 guidance.

Putting aside these critiques, the SEC’s guidelines raise one resounding question: how do these guidelines interplay with other regulator’s (typically more stringent) data privacy requirements? The European Parliament, for instance, requires that companies dealing with European Union citizens’ data comply with the General Data Protection Regulation (“GDPR”). The GDPR takes a wide view of what constitutes personal identification information and requires the same level of protection for things like an individual’s IP address or cookie data as they do for name, address and Social Security number. Closer to home, most U.S. states have their own data privacy requirements. For instance, Massachusetts was one of the first states to enact information security requirements for companies doing business within its borders. The question remains, then, whether compliance with the SEC’s new guidance is the ceiling or the floor? When boards, shareholders, and/or the public bring lawsuits against public companies following data breaches, will following the SEC guidance be enough to shield a company from liability? Until new guidance is issued from the SEC, these questions will remain in play.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Ifrah PLLC | Attorney Advertising

Written by:

Ifrah PLLC

Ifrah PLLC on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign up using*

Already signed up? Log in here

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
Privacy Policy (Updated: October 8, 2015):

JD Supra provides users with access to its legal industry publishing services (the "Service") through its website (the "Website") as well as through other sources. Our policies with regard to data collection and use of personal information of users of the Service, regardless of the manner in which users access the Service, and visitors to the Website are set forth in this statement ("Policy"). By using the Service, you signify your acceptance of this Policy.

Information Collection and Use by JD Supra

JD Supra collects users' names, companies, titles, e-mail address and industry. JD Supra also tracks the pages that users visit, logs IP addresses and aggregates non-personally identifiable user data and browser type. This data is gathered using cookies and other technologies.

The information and data collected is used to authenticate users and to send notifications relating to the Service, including email alerts to which users have subscribed; to manage the Service and Website, to improve the Service and to customize the user's experience. This information is also provided to the authors of the content to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

JD Supra does not sell, rent or otherwise provide your details to third parties, other than to the authors of the content on JD Supra.

If you prefer not to enable cookies, you may change your browser settings to disable cookies; however, please note that rejecting cookies while visiting the Website may result in certain parts of the Website not operating correctly or as efficiently as if cookies were allowed.

Email Choice/Opt-out

Users who opt in to receive emails may choose to no longer receive e-mail updates and newsletters by selecting the "opt-out of future email" option in the email they receive from JD Supra or in their JD Supra account management screen.


JD Supra takes reasonable precautions to insure that user information is kept private. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. However, please note that no method of transmitting or storing data is completely secure and we cannot guarantee the security of user information. Unauthorized entry or use, hardware or software failure, and other factors may compromise the security of user information at any time.

If you have reason to believe that your interaction with us is no longer secure, you must immediately notify us of the problem by contacting us at In the unlikely event that we believe that the security of your user information in our possession or control may have been compromised, we may seek to notify you of that development and, if so, will endeavor to do so as promptly as practicable under the circumstances.

Sharing and Disclosure of Information JD Supra Collects

Except as otherwise described in this privacy statement, JD Supra will not disclose personal information to any third party unless we believe that disclosure is necessary to: (1) comply with applicable laws; (2) respond to governmental inquiries or requests; (3) comply with valid legal process; (4) protect the rights, privacy, safety or property of JD Supra, users of the Service, Website visitors or the public; (5) permit us to pursue available remedies or limit the damages that we may sustain; and (6) enforce our Terms & Conditions of Use.

In the event there is a change in the corporate structure of JD Supra such as, but not limited to, merger, consolidation, sale, liquidation or transfer of substantial assets, JD Supra may, in its sole discretion, transfer, sell or assign information collected on and through the Service to one or more affiliated or unaffiliated third parties.

Links to Other Websites

This Website and the Service may contain links to other websites. The operator of such other websites may collect information about you, including through cookies or other technologies. If you are using the Service through the Website and link to another site, you will leave the Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We shall have no responsibility or liability for your visitation to, and the data collection and use practices of, such other sites. This Policy applies solely to the information collected in connection with your use of this Website and does not apply to any practices conducted offline or in connection with any other websites.

Changes in Our Privacy Policy

We reserve the right to change this Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our privacy policy will become effective upon posting of the revised policy on the Website. By continuing to use the Service or Website following such changes, you will be deemed to have agreed to such changes. If you do not agree with the terms of this Policy, as it may be amended from time to time, in whole or part, please do not continue using the Service or the Website.

Contacting JD Supra

If you have any questions about this privacy statement, the practices of this site, your dealings with this Web site, or if you would like to change any of the information you have provided to us, please contact us at:

- hide
*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.