InfoBytes Blog
SEC issues new cybersecurity reporting guidance
On February 21, the SEC released Cybersecurity Interpretive Guidance designed to provide assistance to public companies when preparing disclosures about cybersecurity risks and incidents. According to a press release, the commissioners voted unanimously on February 20 to approve the guidance, which reinforces and expands guidance previously issued in 2011. The guidance, which addresses the “grave threats” cybersecurity risks pose to investors, the capital market, and the United States, states the SEC’s expectations that companies should, among other things, (i) provide disclosures tailored to a particular company’s cybersecurity risks rather than using “boilerplate language or static requirements,” and (ii) adopt policies that will restrict executive trading in a firm’s securities while possessing nonpublic information related to cybersecurity risks or attacks. In connection with the release of the guidance, SEC Chairman Jay Clayton released a statement urging public companies to “examine their controls and procedures, with not only their securities law disclosure obligations in mind, but also reputational considerations around sales of securities by executives.” The statement also stressed the federal securities law disclosure requirements that companies “must pay particular attention to when considering their disclosure obligations with respect to cybersecurity risks and incidents.”