On February 21, the SEC issued interpretive guidance to assist in the preparation of cybersecurity risks and incidents disclosures. This guidance reinforces and expands the guidance issued by the SEC staff in 2011.
The new guidance does not change any of the SEC’s rules. While it is generally consistent with the 2011 staff guidance, it addresses two additional topics:
The interpretive guidance identifies sections of filings where the disclosure of cybersecurity matters may be appropriate and provides examples of the types of disclosure that should be considered, including the following:
Additional cybersecurity disclosures should be considered in periodic reports (e.g., Form 10-K, Form 10-Q, Form 20-F) and registration statements (e.g., Form S-1, Form S-3). The Commission encourages companies to use Form 8-K or Form 6-K to disclose material information pertaining to cybersecurity matters.
Compliance with the interpretive guidance will ensure companies timely inform investors about the material cybersecurity risks and incidents that the company has faced or is likely to face. Most companies should expect to have increased disclosures in their SEC filings with respect to board risk oversight and cyber breaches, threats, and potential risks.
Companies should assess their current cybersecurity risk management policies and procedures, and assess if they have sufficient disclosure controls and procedures in place to ensure relevant information about cybersecurity risks and incidents is processed and reported in their SEC filings. Companies should also consider whether they need to revisit or refresh previous disclosures, including during the process of investigating a cybersecurity incident, and consider filing a Current Report on Form 8-K relating to any material cybersecurity incident.
The new interpretive guidance is applicable to all public companies upon its publication in the Federal Register.
On February 21, 2018, the SEC updated its six-year old guidance on cybersecurity issues by providing an Interpretive Release. The Interpretive Release clarifies what types of breaches are required to be disclosed, and broadly how cybersecurity fits into existing SEC rules and regulations. Check out this video to learn more.