SEC Approves Guidance on Public Company Cybersecurity Disclosures

SEC Approves Guidance on Public Company Cybersecurity Disclosures

Blog Keeping Current: Disclosure and Governance Developments

On February 21, 2018, the Securities and Exchange Commission (SEC) approved an interpretive release updating guidance on public company disclosure and other obligations concerning cybersecurity matters. In large measure, the interpretive release, titled “Commission Statement and Guidance on Public Company Cybersecurity Disclosures” (Guidance), expands upon the Division of Corporation Finance’s 2011 CF Disclosure Guidance: Topic No. 2, Cybersecurity. The 2011 disclosure guidance was issued to assist companies in assessing what disclosures might be required about cybersecurity risks or incidents. The new Guidance goes beyond disclosure considerations by stressing the importance of cybersecurity policies and procedures and discussing the application of disclosure controls and procedures, insider trading prohibitions, and Regulation FD selective disclosure prohibitions. As Chairman Clayton noted in a statement about the new Guidance, he believes “that providing the Commission’s views on these matters will promote clearer and more robust disclosure by companies about cybersecurity risks and incidents, resulting in more complete information being available to investors.”

Going forward, cybersecurity likely will remain a potential area for future rulemaking given public interest in the topic generally and given the interest expressed by at least two of the SEC Commissioners in additional specific requirements with respect to cybersecurity matters. (See statements by Commissioners Stein and Jackson) In the near-term, companies should consider reviewing and refreshing their disclosures regarding oversight of cybersecurity risks and should consider reviewing their disclosure controls and procedures to make sure they capture cybersecurity matters.

The Guidance is discussed in greater detail in our client alert, “SEC Approves Guidance on Public Company Cybersecurity Disclosures.” 


More from this series


Unless you are an existing client, before communicating with WilmerHale by e-mail (or otherwise), please read the Disclaimer referenced by this link.(The Disclaimer is also accessible from the opening of this website). As noted therein, until you have received from us a written statement that we represent you in a particular manner (an "engagement letter") you should not send to us any confidential information about any such matter. After we have undertaken representation of you concerning a matter, you will be our client, and we may thereafter exchange confidential information freely.

Thank you for your interest in WilmerHale.