SEC Issues Interpretive Guidance for Public Company Cybersecurity Disclosures

Public companies may be facing increased regulatory scrutiny regarding the effectiveness of their disclosure controls and procedures surrounding cybersecurity risks. The guidance from the U.S. Securities and Exchange Commission (SEC) issued on February 21, 2018, is intended to enable public companies to provide clear, relevant and timely disclosures to investors about cybersecurity risks and incidents.

Cyber attacks have dominated headlines, since the earlier SEC guidance in 2011 about disclosure obligations relating to cybersecurity risks and cyber incidents, with several public companies coming under fire for data breaches.   On April 24, 2018, the SEC announced an agreement by a public company to pay a $35 million penalty to settle charges that it “misled investors by failing to disclose one of the world’s largest data breaches.”  The order added that the company did not maintain disclosure controls and procedures designed to ensure that reports from the company’s information security team raising actual incidents of the theft of user data, or the significant risk of theft of user data, were properly and timely assessed to determine how and where data breaches should be disclosed in the company’s public filings.

The 2018 SEC interpretive guidance indicates that “given the frequency, magnitude and cost of cybersecurity incidents, the Commission believes that it is critical that public companies take all required actions to inform investors about material cybersecurity risks and incidents in a timely fashion, including those companies that are subject to material cybersecurity risks but may not yet have been the target of a cyber-attack.”

The guidance also stresses the importance of public companies having appropriate disclosure controls and procedures in place that enable them to properly discern the impact that cyber risks could have, as well as a “protocol to determine the potential materiality of such risks and incidents.”

“In addition, the Commission believes that the development of effective disclosure controls and procedures is best achieved when a company’s directors, officers, and other persons responsible for developing and overseeing such controls and procedures are informed about the cybersecurity risks and incidents that the company has faced or is likely to face,” the SEC guidance states.

The guidance also reminds companies and their directors, officers, and other insiders of complying with the laws related to insider trading in connection with information about cybersecurity risks and incidents, including vulnerabilities and breaches.

Kaufman Rossin’s risk advisory services team has expertise in helping companies improving the design of their disclosure controls and procedures and in evaluating and articulating the overall impact of information technology-related risks. We review policies and procedures and recommend ways to prevent, detect and respond to material cybersecurity risks and incidents effectively and efficiently.

To learn more about the new SEC guidance on cybersecurity disclosures and what it means for your public company, contact Kaufman Rossin’s risk advisory services team.