SEC’s Cybersecurity Interpretive Guidance
It is difficult to overstate the importance of cybersecurity in today’s digital world. Indeed, you would be hard-pressed to find an institution that does not fundamentally rely on the protection of their digital information and assets for their ultimate longevity. With an acute awareness of the risks surrounding this issue, the Securities and Exchange Commission have recently reiterated their position on cybersecurity and have provided further guidance for public companies regarding their disclosure obligations about cyber attacks.
It is a sign of the times that the guidance states that “Given the frequency, magnitude and cost of cybersecurity incidents, the Commission believes that it is critical that public companies take all required actions to inform investors about material cybersecurity risks and incidents in a timely fashion, including those companies that are subject to material cybersecurity risks but may not yet have been the target of a cyber-attack.” The SEC is making it clear that companies should think of cyber attacks in terms of “when” instead of “if”.
Under US federal securities laws, public operating companies are obliged to pay particular attention to their disclosure obligations so as to minimise cybersecurity risks and incidents. The SEC has further reemphasised the importance of disclosure controls and procedure policies, insider trading, and selective disclosures. The regulator hopes that the release will help promote clearer and more robust disclosures by companies concerning cybersecurity risks and incidents, resulting in more complete information being available to investors.
The SEC’s guidance is here and SEC Chairman Jay Clayton’s statement on the release here.