The SEC’s New Cybersecurity Disclosure Guidance

By: George M. Wilson, SEC Institute

In a meeting on Wednesday, February 21, 2018, the SEC adopted an Interpretive Release titled “Commission Statement and Guidance on Public Company Cybersecurity Disclosures.” The release reinforces and expands upon the staff’s 2011 cybersecurity guidance in Corporation Finance Disclosure Guidance Topic Two. In this post from January 31, 2018, we briefly reviewed Disclosure Topic Two and the possibility of moving this guidance from a staff document to a commission release.

In addition, the new release addresses two issues that have been important in recent cybersecurity breaches, the importance of cybersecurity policies and procedures and the application of insider trading prohibitions in the cybersecurity context.

Disclosure Guidance Topic Two was a very principles-based disclosure model, and as you read the new Interpretation you will see it incorporates those principles. The release emphasizes the role of disclosure controls and procedures and the importance of board of directors involvement in cybersecurity disclosures. One significant change is that Disclosure Guidance Topic Two was staff guidance, and the Interpretive Release is formal guidance from the Commission, and in essence moves towards the authority of a rule.

In the release the Commission also states that they will continue to monitor company disclosures and cybersecurity developments to assess whether further guidance or rulemaking in necessary.

As always, your thoughts and comments are welcome!


Leave a Reply

Your email address will not be published. Required fields are marked *