The recent spate of high-profile cybersecurity breaches has not spared public companies, as demonstrated by large data breaches in recent years involving Equifax Inc. (NYSE: EFX) and a multitude of other companies. In response to the proliferation of cybersecurity threats to public companies, on February 21, 2018, the SEC released interpretive guidance to assist companies in preparing disclosures about cybersecurity risks and incidents. The release, which expands upon the staff’s 2011 guidance and addresses several new topics, was adopted unanimously by the full SEC and, therefore, carries significant weight.
As the SEC release makes clear, in order to meet their ongoing disclosure requirements, public companies should adequately and timely disclose any and all material cybersecurity risks and incidents in their registration statements and in their periodic and current reports. Public companies must weigh the potential materiality and likelihood of identified risks and, in the case of cybersecurity incidents, the importance of any compromised information and the impact on their operations. Further, the SEC encourages the use of Forms 8-K and 6-K to promptly disclose cybersecurity risks and incidents, as it will help to reduce the risks of selective disclosure and insider trading. The SEC guidance indicates that, although some time may be needed to discern the scope and implications of a cybersecurity incident, an ongoing internal or external investigation would not, on its own, provide a basis for avoiding disclosures of a material cybersecurity incident. The release includes specific guidance on a number of disclosure elements required by Regulation S-K and Regulation S-X, including risk factors, management discussion and analysis, description of the business, legal proceedings, financial statements and board risk oversight. Continue reading SEC Releases New Guidance on Cybersecurity Disclosures for Public Companies