On February 21, 2018, the SEC updated its six-year old guidance on cybersecurity issues by providing an Interpretive Release. The Interpretive Release clarifies what types of breaches are required to be disclosed, and broadly how cybersecurity fits into existing SEC rules and regulations. Check out this video to learn more.
Hello, I’m Mike Dean, a manager in PwC’s SEC services group. Today I would like to share with you some recent news coming out of the SEC that could impact your SEC filings.
On February 21st, the SEC issued an Interpretive Release to address how cybersecurity risks, incidents and related matters should be disclosed within the framework of existing SEC guidance.
This release reinforces and expands the guidance that the Division of Corporation Finance issued in 2011.
We have all heard of numerous cyber breaches and attacks that have been levied against all aspects of society, including public companies.
The disclosure of cyber breaches, risks and related matters on these companies have taken various forms and approaches with respect to the impact on their operations and financial results.
The SEC issued this interpretive guidance to assist companies in evaluating how these events should be considered in the context of the existing rules.
The interpretive release does not create a new disclosure obligation; rather, it provides guidance on items companies should consider under the existing requirements and considering materiality.
Within the release, the SEC also reminded companies that corporate insiders cannot trade on material nonpublic information which may include cyber related incidents.
Finally, the SEC reiterated the importance for companies to evaluate their disclosure controls and procedures as it relates to cybersecurity.
As a result of this release, many companies could expect to have increased disclosures in their SEC filings with respect to cyber breaches, threats and potential risks. These disclosures may impact many areas of a company’s filing, including Risk Factors, Management Discussion & Analysis, and possibly the financial statements.
Companies should also consider filing an 8-K relating to a material cyber security incident.
The guidance from the Interpretive Release is applicable to all public companies upon its publication in the Federal Register.
PwC has issued this In brief: SEC issues interpretive guidance on cybersecurity disclosures, which summarizes the Release’s key points and provides further guidance.
And be sure to visit CFOdirect.com periodically for updates and insight related to how this Release could impact your cyber disclosures.
© 2016 - 2018 PwC. All rights reserved. PwC refers to the US member firm or one of its subsidiaries or affiliates, and may sometimes refer to the PwC network. Each member firm is a separate legal entity. Please see www.pwc.com/structure for further details.