The SEC unanimously approved a statement and interpretive guidance to assist public companies in preparing disclosures about cybersecurity risks and incidents. SEC Chairman Jay Clayton indicates:
In today’s environment, cybersecurity is critical to the operations of companies and our markets. Companies increasingly rely on and are exposed to digital technology as they conduct their business operations and engage with their customers, business partners, and other constituencies. This reliance on and exposure to our digitally-connected world presents ongoing risks and threats of cybersecurity incidents for all companies, including public companies regulated by the Commission. Public companies must stay focused on these issues and take all required action to inform investors about material cybersecurity risks and incidents in a timely fashion.
The interpretive guidance provides the SEC’s views about public companies’ disclosure obligations under existing law with respect to matters involving cybersecurity risk and incidents. It also addresses the importance of cybersecurity policies and procedures and the application of disclosure controls and procedures, insider trading prohibitions, and Regulation FD and selective disclosure prohibitions in the cybersecurity context. The SEC indicates that the SEC staff, through its Division of Corporation Finance filing review process, continues to monitor cybersecurity disclosures carefully.
The interpretive guidance is effective upon publication in the Federal Register.
Not a subscriber? Contact us for a representative.