On February 21, 2018, the Securities and Exchange Commission (SEC) presented a detailed and interpretive Commission Statement and Guidance entailing the disclosures of public companies (the “Guidance”) which assist public companies and corporation to meet their cybersecurity disclosure requirements efficiently and that too under the federal securities laws. The Guidance points out that, as our reliance on networked systems and the internet have increased by several folds compared to the past years, the risks, threats, and frequency of cyber-security incidents has also increased. Companies are now left with no choice but to take an immediate notice on the issue and take the required measures. These may include: employee training, remediation expenses, litigation, agency investigations and enforcement actions and IT costs.
In this context, the public companies are instructed by the Guidance to:
Inform all the investors of any probable cyber-security risks and threats and their consequent potential cost in accordance with the federal cyber-security laws.
Implement disclosure procedures and controls that are inclusive of all the aspects and enable corporations to take timely, speedy, and accurate measures to ensure cyber-security. guard against insider trading risks and selective disclosures in the context of cybersecurity incidents.
This latest Guidance builds on the prior guidance that was issued in October 2011 by the SEC’s Division of Corporation Finance. It offered an SEC-level endorsement of the views and highlighted the SEC’s attention to cyber-security threats that were prevalent. This Guidance surpasses the 2011 guidance because (i) SEC has issued it directly, rather than through staff, and (ii) it directly addresses disclosure controls and all the restrictions against insider trading in the context of cyber-security. The Guidance looks closely into the substance of the 2011 guidance, without imposing any new standards on public corporations.