On February 21, 2018, the SEC approved new interpretive guidance to assist public companies in preparing their disclosures about cybersecurity risks and incidents. The Release builds upon and expands on the SEC’s 2011 staff guidance on cybersecurity matters.

In the Commission’s release, the SEC explained that it:

  • believes that it is critical that public companies take all required actions to inform investors about material cybersecurity risks and incidents in a timely fashion, including those companies that are subject to material cybersecurity risks but may not yet have been the target of a cyber-attack.
  • expects companies to disclose cybersecurity risks and incidents that are material to investors, including the concomitant financial, legal, or reputational consequences.
  • believes that companies are well served by considering the ramifications of directors, officers, and other corporate insiders trading in advance of disclosures regarding cyber incidents that prove to be material.
  • expects companies, in their management discussion & analysis sections of their public filings addressing their results of operations and financial condition, to consider an array of potential costs that may be associated with cybersecurity issues, including: remediation costs, such as liability for stolen assets or information, repairs of system damage, increased cybersecurity protection costs, lost revenues resulting from the unauthorized use of proprietary information or the failure to retain or attract customers following an attack; litigation and legal risks, including regulatory actions by state and federal governmental authorities and non-U.S. authorities; increased insurance premiums; reputational damage that adversely affects customer or investor confidence; and damage to the company’s competitiveness, stock price, and long-term shareholder value.

The SEC also reminded public companies of the ways in which cybsersecurity incidents, and their related costs, can impact a company’s financial statements, its disclosure controls and procedures, and insider trading compliance program. The SEC Release also specifically addresses the importance of company disclosure to investors about how the company’s board of directors is discharging its risk oversight responsibility with respect to the company’s cybersecurity risk management policies and procedures.

The SEC’s February 21st release is here: https://www.sec.gov/rules/interp/2018/33-10459.pdf

The statement of Commissioner Clayton is here: https://www.sec.gov/news/public-statement/statement-clayton-2018-02-21

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Edward B. Whittemore Edward B. Whittemore

Ted Whittemore advises public, private, emerging and nonstock/non-profit businesses on a broad range of corporate, securities and governance matters with a focus on general corporate law, registered and exempt securities offerings, SEC compliance representation, mergers and acquisitions, and corporate finance. Ted has represented…

Ted Whittemore advises public, private, emerging and nonstock/non-profit businesses on a broad range of corporate, securities and governance matters with a focus on general corporate law, registered and exempt securities offerings, SEC compliance representation, mergers and acquisitions, and corporate finance. Ted has represented issuers and investors in public and private offerings of debt and equity securities and has advised securities professionals (broker-dealers, investment advisers, and their personnel) on registration, reporting and other regulatory and compliance matters. He advises public companies with their ongoing regulatory matters, including periodic reporting with the SEC, corporate disclosure and finance, stock exchange listing compliance, short-swing and insider trading matters, proxy regulation and deregistration issues. Ted has represented both buyers and sellers in merger, acquisition and divestiture transactions and has advised directors and officers with respect to their fiduciary obligations under state corporate laws. He also advises clients with respect to the formation, management and on-going operations of privately-held and nonstock/non-profit business entities. Ted has authored or co-authored a number of publications on issues including state corporate laws, SEC regulations, insider trading, securities offerings, financial privacy, and electronic financial services.