Skip to main content
Menu Icon Menu Icon

InfoBytes Blog

Financial Services Law Insights and Observations

SEC issues new cybersecurity reporting guidance

Privacy/Cyber Risk & Data Security SEC

Privacy, Cyber Risk & Data Security

On February 21, the SEC released Cybersecurity Interpretive Guidance designed to provide assistance to public companies when preparing disclosures about cybersecurity risks and incidents. According to a press release, the commissioners voted unanimously on February 20 to approve the guidance, which reinforces and expands guidance previously issued in 2011. The guidance, which addresses the “grave threats” cybersecurity risks pose to investors, the capital market, and the United States, states the SEC’s expectations that companies should, among other things, (i) provide disclosures tailored to a particular company’s cybersecurity risks rather than using “boilerplate language or static requirements,” and (ii) adopt policies that will restrict executive trading in a firm’s securities while possessing nonpublic information related to cybersecurity risks or attacks. In connection with the release of the guidance, SEC Chairman Jay Clayton released a statement urging public companies to “examine their controls and procedures, with not only their securities law disclosure obligations in mind, but also reputational considerations around sales of securities by executives.” The statement also stressed the federal securities law disclosure requirements that companies “must pay particular attention to when considering their disclosure obligations with respect to cybersecurity risks and incidents.”

Share page with AddThis