In an unusual step that appears to indicate renewed, if not intensified, scrutiny of public companies’ cybersecurity practices by the Securities and Exchange Commission (SEC), the SEC’s five commissioners unanimously issued guidance (the “Guidance”) on February 21, 2018 covering a range of cybersecurity topics including disclosure obligations, board oversight and risk management controls. The SEC staff had issued guidance regarding cybersecurity disclosure in October 2011. While the Commission issued the Guidance unanimously, it is important to note that two of the commissioners have released public statements expressing reserved support for the Guidance, but noting that it in large part recapitulates information already presented in 2011 by the SEC’s Division of Corporation Finance.
Public companies should closely review the Guidance for the additional details it provides regarding key disclosure obligations:
The Guidance also touches upon two areas not previously discussed by the SEC:
In July 2017, SEC Chairman Jay Clayton gave a speech at the Economic Club of New York that many interpreted as signaling a more cooperative enforcement posture by the SEC (“Being a victim of a cyber penetration is not, in itself, an excuse. But, I think we need to be cautious about punishing responsible companies who nevertheless are victims of sophisticated cyber penetrations”).
The extent to which this newly published Guidance will have a direct impact on enforcement is still not clear, but companies are advised to: