United States

SEC issues guidance on public company cybersecurity disclosures


Given the frequency, magnitude and cost of cybersecurity incidents, the SEC believes it is critical that public companies take all required actions to inform investors about material cybersecurity risks and incidents in a timely fashion. Therefore, to assist public companies in preparing disclosures about cybersecurity risks and incidents, the SEC recently issued interpretive Release No. 33-10459, Commission Statement and Guidance on Public Company Cybersecurity Disclosures.

The release stresses the importance of maintaining comprehensive policies and procedures related to cybersecurity risks and incidents. As such, companies should assess whether they have appropriate and effective disclosure controls and procedures that enable them to make accurate and timely disclosures of material cybersecurity events. The release also provides an overview of the rules requiring disclosure of cybersecurity issues including those that address the following:

  • Materiality – The materiality of cybersecurity risks or incidents depends upon their nature, extent and potential magnitude, particularly as they relate to any compromised information or the business and scope of company operations. The materiality of cybersecurity risks and incidents also depends on the range of harm that such incidents could cause.
  • Risk factors – The release identifies several issues companies should consider in evaluating cybersecurity risk factor disclosure, such as the probability of occurrence and potential magnitude of cybersecurity incidents and the adequacy of related preventative actions, among many others.
  • MD&A – The release discusses several matters that could impact a company’s MD&A analysis, including, among many others, the cost of ongoing cybersecurity efforts, the costs and other consequences of cybersecurity incidents, and the risks of potential cybersecurity incidents. Also, the release states that companies are expected to consider the impact of cybersecurity incidents on each of their reportable segments.
  • Description of business – If cybersecurity incidents or risks materially affect a company’s products, services, relationships with customers or suppliers, or competitive conditions, the company must provide appropriate disclosure.
  • Legal proceedings – The disclosure of material pending legal proceedings should include those related to cybersecurity issues.
  • Financial statement disclosures – The SEC expects that information about the range and magnitude of the financial impacts of a cybersecurity incident would be incorporated into a company’s financial statements on a timely basis as the information becomes available.
  • Board risk oversight – To the extent cybersecurity risks are material to a company’s business, the SEC believes the description of how the board administers its risk oversight function should include the nature of the board’s role in overseeing the management of that risk.

The release also remind companies and their directors, officers and other corporate insiders of the applicable insider trading prohibitions under the general antifraud provisions of the federal securities laws and also of their obligation to refrain from making selective disclosures of material nonpublic information about cybersecurity risks or incidents.