On February 21 the SEC issued a “Commission Statement and Guidance on Public Company Cybersecurity Disclosures”. The Release contains new guidelines and requirements regarding public companies’ disclosure responsibilities for cybersecurity situations. No new rules or regulations have been issued at this point, but the Release contains some valuable guidance. It is also clear that cybersecurity is a hot button for the SEC and for Chair Clayton, and I believe that cybersecurity disclosure issues will be subject to more rigorous scrutiny going forward. All public companies should carefully review the Release and evaluate their disclosure obligations in connection with cybersecurity.
The Release updates the SEC’s position on cybersecurity. The SEC’s previous guidance in this area was primarily a Corporation Finance Division Release issued in 2011 that did not contain specific disclosure requirements. The cybersecurity landscape has changed radically since then. The substantial increases in the number and severity of cybersecurity incidents, coupled with the growing dependence of businesses on cyber systems and the associated problems that arise in a cybersecurity incident, have clearly convinced the SEC that additional disclosure is required.