Marty Dunn, Miriam H. Wugmeister, Scott Lesmes, John P. Carlin, and David A. Newman
Global Risk + Crisis Management, Privacy + Data Security, REITs, and Public Companies Counseling + Compliance
In an unusual step that appears to indicate renewed, if not intensified, scrutiny of public companies’ cybersecurity practices by the Securities and Exchange Commission (SEC), the SEC’s five commissioners unanimously issued guidance (the “Guidance”) on February 21, 2018 covering a range of cybersecurity topics including disclosure obligations, board oversight and risk management controls. The SEC staff had issued guidance regarding cybersecurity disclosure in October 2011. While the Commission issued the Guidance unanimously, it is important to note that two of the commissioners have released public statements expressing reserved support for the Guidance, but noting that it in large part recapitulates information already presented in 2011 by the SEC’s Division of Corporation Finance.
Public companies should closely review the Guidance for the additional details it provides regarding key disclosure obligations:
The Guidance also touches upon two areas not previously discussed by the SEC:
In July 2017, SEC Chairman Jay Clayton gave a speech at the Economic Club of New York that many interpreted as signaling a more cooperative enforcement posture by the SEC (“Being a victim of a cyber penetration is not, in itself, an excuse. But, I think we need to be cautious about punishing responsible companies who nevertheless are victims of sophisticated cyber penetrations”[2]).
Takeaways
The extent to which this newly published Guidance will have a direct impact on enforcement is still not clear, but companies are advised to:
[1] https://www.sec.gov/rules/interp/2018/33-10459.pdf
[2] https://www.sec.gov/news/speech/remarks-economic-club-new-york
Unsolicited e-mails and information sent to Morrison & Foerster will not be considered confidential, may be disclosed to others pursuant to our Privacy Policy, may not receive a response, and do not create an attorney-client relationship with Morrison & Foerster. If you are not already a client of Morrison & Foerster, do not include any confidential information in this message. Also, please note that our attorneys do not seek to practice law in any jurisdiction in which they are not properly authorized to do so.