• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to secondary sidebar

Alston & Bird Privacy Blog

  • Home
  • Services
  • Events
  • Contacts

SEC Adopts Statement and Interpretive Guidance on Public Company Cybersecurity Disclosures

February 23, 2018 By Cara Peterman

The Securities and Exchange Commission (SEC) issued a press release announcing its unanimous approval of a statement by SEC Chairman Jay Clayton and interpretive guidance (the “2018 Guidance”) to assist public companies in preparing disclosures about cybersecurity risks and incidents. This is the first interpretive guidance published by the full Commission on the topic of cybersecurity for public companies, and it may foreshadow increased SEC action to protect investors from the potential negative effects of increasingly common large-scale data breaches. The 2018 Guidance formalizes and expands on the SEC staff’s earlier position that cybersecurity risks and incidents may trigger disclosure obligations for public companies and addresses the SEC’s expectations for public company disclosure controls and procedures as they relate to cybersecurity.

In 2011, the SEC’s Division of Corporation Finance released CF Disclosure Guidance: Topic No. 2 (the “2011 Guidance”), addressing the staff’s views that companies may be required to disclose cybersecurity risks and incidents as part of their existing disclosure obligations. Since 2011, the SEC has issued intermittent informal statements relating to cybersecurity, including in connection with its Cybersecurity Roundtable in 2014 and Chairman Clayton’s September 2017 Statement on Cybersecurity, which disclosed an intrusion into the SEC’s own data systems. Given the SEC’s public focus on cybersecurity issues, it has long been expected that the SEC would issue more formal guidance.

In many respects, the 2018 Guidance varies little from the 2011 Guidance and addresses disclosure issues that most public companies have already integrated into their disclosure processes. Among other things, the 2018 Guidance reinforces that companies should consider the materiality of cybersecurity risks and incidents when preparing disclosures.

The 2018 Guidance does, however, provide a more comprehensive and detailed view of the SEC’s expectations for public company disclosures. Notably, the 2018 Guidance repeatedly emphasizes that required disclosures should be made “timely” and on an ongoing basis, and states that the existence of an ongoing investigation into a cybersecurity incident does not—standing alone—provide a basis for avoiding timely disclosure of a material incident. The majority of the new content in the 2018 Guidance otherwise pertains to disclosure controls and procedures generally and ensuring that such processes effectively address cybersecurity risks and incidents. Finally, the 2018 Guidance encourages companies to review their insider trading policies as they relate to non-public cybersecurity risks and incidents and to consider prohibiting trades between discovery of a potential breach and disclosure of that breach.

The 2018 Guidance is effective upon publication in the Federal Register, which typically occurs within 4–7 days of release.

Filed Under: Cybersecurity, Data Breach, Data Security, Security Breach Tagged With: Securities and Exchange Commission

About Cara Peterman

Cara Peterman is a partner with the firm’s Securities Litigation Group. Her practice focuses on fiduciary duty and shareholder derivative suits, securities fraud, and other complex commercial litigation.

[Read Bio]

Primary Sidebar

This blog is a service of Alston & Bird’s Privacy & Data Security team and focuses on key data privacy and data security issues.


Receive email notifications when new posts are added.

Receive email notifications when new posts are added.


THE DIGITAL DOWNLOAD
Click here to see the editions

PRIVACY & CYBER EVENTS
Click here to see upcoming and past events

PRIVACY & CYBER MAILINGS
Click here to sign up

@ALSTONPRIVACY
Click here to follow us on Twitter

Secondary Sidebar

Categories

Recent Posts

  • New Law Requires HHS to Consider Recognized Security Practices as Mitigating Factor When Determining Penalties
  • Federal Court Rules Cyber Forensic Report Is Not Protected Under Attorney-Client Privilege Or Work Product Doctrine
  • Financial Regulatory Agencies Announce Proposed Rule Requiring Notice of Computer Security Incidents
  • Brexit Trade Agreement Provides a Temporary Solution for Companies Transferring Personal Data from the EEA to the UK
  • UK ICO Publishes New Data Sharing Code
Copyright © 2021 · Alston & Bird · All Rights Reserved. Privacy.
This website uses cookies to improve functionality and performance. By continuing to browse this site, you are consenting to the use of cookies on this website. OkCookie policy