Skip to Content
Flags outside government building
Article

The SEC and cybersecurity: What you need to know

January 23, 2019 / 3 min read

The SEC issued new guidance around cybersecurity disclosures, which likely affect your organization. Consider your procedures for effective disclosures, the process for notifying investors, as well as the forms that require this information and how to best adhere to this guidance.

Background

In October 2011, the Division of Corporate Finance issued guidance that provided views regarding disclosure obligations relating to cybersecurity risks and incidents. The guidance explains that, although no existing disclosure requirement explicitly refers to cybersecurity risk and cyber incidents, companies nonetheless may be obligated to disclose such risks and incidents. After the issuance of this guidance, many companies included additional cybersecurity disclosure, typically in the form of risk factors.

On Feb. 21, 2018, the SEC issued interpretive guidance in response to the ongoing risks and threats that cybersecurity presents to our capital markets and to companies operating in all industries, including public companies regulated by the Commission. Companies today rely more and more on digital technology to conduct their business operations and engage with their customers, business partners, and other constituencies. The U.S. Computer Emergency Readiness Team defines cybersecurity as “the activity or process, ability or capability, or state whereby information and communications systems and the information contained therein are protected from and/or defended against damage, unauthorized use or modification, or exploitation.”

Who does this guidance apply to?

When is it effective?

What is the SEC’s new guidance related to cybersecurity disclosures?

Public companies must inform investors about material cybersecurity risks and incidents, including breaches, in a timely fashion.

Where does this information need to be disclosed?

Why is the SEC providing additional guidance?

How can companies adhere to the SEC guidance?

Actions to take

Public company executives and their boards should revisit disclosures and disclosure controls and procedures, including controls over the sales of securities by executives. To learn more, or to understand how this cybersecurity guidance may impact your business, please contact us today.

Related Thinking

Business professionals discussing their retirement system cybersecurity.
September 26, 2024

Cybersecurity: Protecting your retirement system from hidden threats

Article 7 min read
Parents and their children smiling and taking a selfie.
September 9, 2024

Cybersecurity for families: 5 ways to help protect children and adults

Article 10 min read
Person searching on their computer in a dimly lit room.
August 30, 2024

Addressing the vendor threat

In The News 5 min read