SEC and NYSE/Nasdaq Developments

SEC Adopts Interpretive Guidance on Cybersecurity Disclosures

On February 21, 2018, the Securities and Exchange Commission (SEC) released new interpretive guidance on public company disclosures regarding cybersecurity risks and incidents. The new interpretive guidance, which reinforces and expands the guidance provided by the staff of the Division of Corporation Finance of the SEC on October 13, 2011, outlines the SEC's views regarding disclosures by public companies relating to cybersecurity risks, events and incidents under existing securities laws. It also outlines the SEC's views regarding the importance of appropriate disclosure controls and procedures, insider trading policies and selective disclosure safeguards in the context of cybersecurity incidents.

Although the interpretive guidance makes clear that the SEC views cybersecurity as a key disclosure matter, it does little to provide public companies with specific guidance on SEC expectations for what is required to be disclosed and when. The interpretive guidance does, however, present the following views of the SEC:

  • Public companies should be describing the role that boards of directors have in cybersecurity-related risk management to the extent those risks are material to their businesses.
  • Public companies should maintain adequate disclosure controls and procedures so that individuals responsible for disclosures are promptly alerted of cybersecurity incidents and a timely materiality and disclosure assessment can be made. Existing controls and procedures should be revisited to confirm their adequacy, and officers preparing certifications of periodic reports should consider the adequacy when providing such certifications.
  • Public companies should have policies and procedures that restrict the ability of officers, directors and other insiders from trading before a decision has been made regarding the materiality and the disclosure necessary for a cyber incident.

The interpretive guidance does not provide any specific disclosure requirements that explicitly refer to cybersecurity matters. The guidance instead reiterates that the disclosure requirements related to cybersecurity risks and incidents are based on the relevant disclosure considerations that arise in connection with any business risk. It may be appropriate to provide disclosure regarding cybersecurity in the context of the following:

  • risk factors;
  • operating and financial review and prospects (OFR);
  • description of the business;
  • legal proceedings;
  • financial statements; and
  • disclosures of boards of directors' role in risk management.

Companies are not required to make disclosures that compromise their own cybersecurity efforts or those of law enforcement. However, companies must disclose cybersecurity risks and incidents that are material to investors in a timely manner. Companies may, in certain circumstances, be required to disclose such risks and incidents even before the completion of an internal investigation. In addition to making new disclosure, companies may have to amend or update prior disclosure.

In light of the guidance, companies should also consider the following:

  • reviewing risk factor disclosures to ensure that the disclosures do not give the impression that the company has never been the target of, or subject to, a cybersecurity threat;
  • disclosing any material ongoing cybersecurity spending, whether defensive or responsive to an actual incident, in the OFR; and
  • engaging with the board regarding cybersecurity issues, specifically by reviewing with the board a summary of the interpretive guidance and reviewing the board's role in the oversight of cybersecurity matters.

While not expressly stating so, the interpretive guidance indicates that the SEC may be considering the following:

  • new rules that specifically mandate the content and the timing of cybersecurity-related disclosures; and
  • bringing the first enforcement cases against public companies related to inadequate cybersecurity disclosures or ineffective disclosure controls and procedures.

The SEC's interpretive guidance is available at:

Our related client publication is available at:

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.