In light of the increasing significance of cybersecurity incidents, the Securities and Exchange Commission (SEC) recently found it necessary to provide further guidance with respect to cybersecurity disclosure requirements under the federal securities laws as they apply to public operating companies. On February 21, 2018, the SEC issued interpretive guidance on the cybersecurity disclosures of public companies through a Commission Statement and Guidance on Public Company Cybersecurity Disclosures (2018 Guidance). In its 2018 Guidance, the SEC emphasized the importance of disclosing material cybersecurity risks, even in cases where a company has not yet suffered a cyberattack. According to the SEC, public companies must stay focused on these issues and take all required action to inform investors about material cybersecurity risks and incidents in a fulsome and timely fashion.
The 2018 Guidance expands the SEC’s 2011 guidance on cybersecurity disclosure obligations and highlights a public company’s disclosure requirements when considering their disclosure obligations surrounding cybersecurity risks and incidents. It also addresses the importance of cybersecurity policies and procedures related to disclosure controls and procedures and reminds companies of their obligation to prohibit insider trading on materially non-public information about threats and incidents.