Publications
Article

What Are Key Action Items Stemming from the New SEC Guidance on Cybersecurity Disclosures?

Securities News Watch

On February 21, 2018, the Securities and Exchange Commission (“SEC”) issued Statement and Interpretive Guidance on Public Company Cybersecurity Disclosures.  The SEC previously addressed this topic in 2011 Disclosure Guidance: Topic No. 2.  According to SEC Chairman, Jay Clayton, the new interpretive guidance “reinforces and expands” the Division’s 2011 guidance and “addresses the importance of policies and procedures related to disclosure controls and procedures, insider trading and selective disclosures.”  In connection with the release of the new guidance, SEC Chairman has asked the Division of Corporation Finance to continue to “carefully monitor cybersecurity disclosures” as part of their review process, which is likely to lead to more SEC comments on cybersecurity disclosures.

The 2018 interpretive guidance provides a comprehensive overview of the SEC’s position on cybersecurity issues faced by public companies.  In addition to reminders about cybersecurity disclosure touchpoints (i.e., risk factors, management’s discussion and analysis of financial condition and results of operations, description of business, legal proceedings and financial statements), which are largely the same as disclosure reminders included in the 2011 guidance, the 2018 release makes it clear that the SEC places great emphasis on cybersecurity risk management policies and procedures and considers them to be “key elements of enterprise-wide risk management.”