SEC to Public Companies: Disclose Your Cyber Risks

“For a number of years, [public companies] have migrated toward increasing dependence on digital technologies to conduct their operations. As this dependence has increased, the risks associated with cybersecurity have also increased, resulting in more frequent and severe cyber incidents… [W]e determined it beneficial to provide guidance that assists registrants in assessing what, if any, disclosures should be provided about cybersecurity matters in light of each registrant’s specific facts and circumstances.” (SEC Disclosure Guidance on Cybersecurity

We’re seeing growing interest in the guidance issued October 13 by the Securities and Exchange Commission’s Division of Corporate Finance directing public companies to disclose cybersecurity risks and incidents to investors. We’ll update this reading list as additional updates on come in:

SEC Staff Provides Guidance on Disclosure Obligations Relating to Cybersecurity Risks and Cyber Incidents (Wilson Sonsini Goodrich & Rosati) 

“Registrants should disclose the risk of cyber incidents if these issues are among the most significant factors that make an investment in the registrant speculative or risky, with the goal of providing sufficient disclosure to allow investors to appreciate the nature of such risks.” Read more»

SEC Staff Issues Guidance Regarding Cybersecurity Risks And Incidents Disclosure (Loeb & Loeb LLP)

“If a cyber-incident could affect a company’s ability to record, process, summarize, and report information required to be included in a report filed with the SEC, the company should consider whether the risk of a cyber-incident impairs the effectiveness of the Company’s disclosure controls and procedures.” Read more»

SEC Issues Guidance on the Disclosure of Cybersecurity Incidents and Costs (Morgan Lewis)

“… the SEC explained that cyber incidents that ‘materially affect’ a registrant’s products, services, client relationships, and the like should be disclosed in the ‘Description of Business.’ For example, a cyber incident that threatens the viability of a new product that a registrant is developing may need to be discussed.” Read more»

SEC Issues Cyber Incident Disclosure Guidance (Ropes & Gray LLP)

“The [Corporate Finance] Division noted that it is concerned with the full panoply of consequences stemming from cyber incidents, including misappropriation of assets or sensitive information, corruption of data, operational disruption, remediation costs, increased security costs, lost revenues, litigation, and reputational damage.” Read more»

Public Companies: SEC Issues Guidance on Cybersecurity Disclosures (McDermott Will & Emery)

“The requirement under the federal securities laws to disclose material cybersecurity risks and incidents is not new and should not be viewed as creating additional disclosure obligations. Public companies are currently obligated to evaluate and disclose to investors significant factors that make an investment in the company’s securities speculative or risky, events or uncertainties that are reasonably likely to have a material effect on the company’s financial results or condition, and any additional information necessary to make the other required disclosures by the company not misleading.” Read more»

Who Is Listening? The SEC Emphasizes Importance of Cybersecurity Disclosure (Sutherland Asbill & Brennan LLP)

“This guidance may be followed by additional legislative and regulatory action in light of the attention cybersecurity has received over the last several years. Some of these legislative or regulatory actions may even have an impact on the SEC disclosure obligations of public companies.” Read more»


Follow Securities Law updates on: LinkedIn | Twitter | Facebook | JD Supra