From: Inside Counsel
The SEC has taken a multi-faceted approach to cybersecurity threats facing public companies
By David B.H. Martin, Keir Gumbs, Ciarra Chavarria
As with many agencies, cybersecurity concerns are a top priority at the Securities and Exchange Commission (SEC). From the publication of staff guidance in 2011 regarding the disclosure implications of cybersecurity-related threats and incidents, to recent examinations of more than 100 broker-dealers and registered investment advisers with respect to cybersecurity preparedness and the incorporation of cybersecurity considerations in its enforcement activities, the SEC has taken a multi-faceted approach to cybersecurity threats facing public companies, investors and the markets more generally. The following is a summary of the key trends in SEC activity relating to cybersecurity that impact public companies.
Cybersecurity disclosures
Federal securities law does not explicitly require issuers to disclose cybersecurity breaches, much less failed breaches, of cybersecurity defenses. Notwithstanding the absence of a specific line item or form prescribing such disclosure, SEC guidance and market practice dictate that companies consider making disclosures about material cybersecurity incidents. Specifically, SEC staff guidance from 2011 highlights the need for companies to consider whether cybersecurity risks or cyber events warrant disclosure in their periodic reports.
Leave a Reply