The Securities and Exchange Commission recently updated guidance to public companies regarding cybersecurity disclosures and disclosure policies. The Commission also suggested that it may base future insider trading cases on trading ahead of the announcement of material cybersecurity events. To reduce the risk of enforcement actions, public companies should revisit existing cybersecurity disclosures and policies. Consistent with other trends in regulation, the SEC guidance likely will accelerate public reporting of cybersecurity breaches.

Recent SEC Guidance

The guidance issued recently focuses on public company disclosures and related policies and procedures.

  • The Commission wants public companies to move beyond boilerplate cybersecurity disclosures to a more individualized, thoughtful review of risks. Those disclosure enhancements are meant to foster more rigorous self-examination of risks and mitigation plans. Boards should be involved in this review.
  • The SEC urges near-immediate reporting of cybersecurity events. The guidelines encourage public companies to disclose events on Form 8-K, rather than waiting for quarterly and annual reports.
  • The enhancements to disclosure policies and certifications suggest an invitation to audit firms to increase testing in this area.