On February 20, 2018, the Securities and Exchange Commission (SEC) issued interpretive guidance to assist public companies in preparing disclosures about cybersecurity risks and incidents. This guidance indicates that the SEC is expecting more robust cybersecurity-related disclosures in the filings of public companies and encourages companies to implement comprehensive cybersecurity policies and procedures.
Overview of Rules Requiring Disclosure of Cybersecurity Issues
The guidance states that companies should consider the following in disclosing cybersecurity-related risk factors:
- The occurrence of prior cybersecurity incidents, including their severity and frequency;
- The probability of the occurrence and potential magnitude of cybersecurity incidents;
- The adequacy of preventative actions taken to reduce cybersecurity risks and the associated costs, including, if appropriate, discussing the limits of the company’s ability to prevent or mitigate certain cybersecurity risks;
- The aspects of the company’s business and operations that give rise to material cybersecurity risks and the potential costs and consequences of such risks, including industry-specific risks and third party supplier and service provider risks;
- The costs associated with maintaining cybersecurity protections, including, if applicable, insurance coverage relating to cybersecurity incidents or payments to service providers
- The potential for reputational harm;
- Existing or pending laws and regulations that may affect the requirements to which companies are subject relating to cybersecurity and the associated costs to companies; and
- Litigation, regulatory investigation, and remediation costs associated with cybersecurity incidents.
The guidance suggests that companies in their MD&A disclosures should discuss cybersecurity efforts and the consequences, costs and risks of current and potential cybersecurity incidents, which may include the loss of intellectual property, maintenance of insurance, responses to litigation and regulatory actions, compliance with applicable legislation and implementation of remediation efforts.
Policies and Procedures
The guidance encourages companies to implement comprehensive cybersecurity policies and procedures and to evaluate compliance with applicable SEC and exchange regulations on a regular basis, including with respect to adequate disclosures. These procedures should enable senior management to make informed disclosure decisions including with respect to Regulation FD compliance, while at the same time prevent insider trading based on cybersecurity-related information. Furthermore, the procedures should not be entirely focused on required disclosures but should also allow for timely collection and review of all information that may be relevant to a cybersecurity-related disclosure.
The SEC has identified as a major concern insider trading on the basis of nonpublic information related to a company’s cybersecurity risk and incidents. In light of this increased awareness by the SEC, the guidance encourages companies to review their codes of ethics and insider trading policies to ensure insider trading on cybersecurity-related information is taken into account. These policies should include specific measures that prevent insider trading before disclosure of a cybersecurity-related incident.
The new SEC release can be found here.
KMK Law articles and blog posts are intended to bring attention to developments in the law and are not intended as legal advice for any particular client or any particular situation. The laws/regulations and interpretations thereof are evolving and subject to change. Although we will attempt to update articles/blog posts for material changes, the article/post may not reflect changes in laws/regulations or guidance issued after the date the article/post was published. Please consult with counsel of your choice regarding any specific questions you may have.
ADVERTISING MATERIAL.
© 2022 Keating Muething & Klekamp PLL. All Rights Reserved
- Partner
As a partner in the firm’s Business Representation & Transactions Group, Allie Westfall’s insight and proven analytical skills help translate the complexities of the often-challenging securities laws. Allie’s counsel ...
- Partner
Mark Reuter advocates for business clients in transactions, proceedings and conflicts regulated by federal and state securities laws and stock exchange rules. A partner in the firm’s Business Representation & Transaction ...
- Partner
Jim Kennedy practices in the Business Representation & Transactions Group. The focus of his practice is corporate, securities, and financing law, where he has extensive experience in mergers, acquisitions and ...
Topics/Tags
Select- Securities Law
- SEC
- Securities Regulation
- Cybersecurity and Privacy Law
- Mergers & Acquisitions
- Coronavirus
- Economic Sanctions
- Ohio LLC Act
- Cybersecurity Regulation
- Nasdaq
- Corporate Law
- Tax Planning
- Corporate Tax
- Paycheck Protection Program
- Dodd-Frank
- IRS
- JOBS Act
- FAST Act
- Proxy Access Rules
- Securities Litigation
- Consumer Protection Act
- Corporate Governance
- SEC Enforcement
- Crowdfunding
- Cryptocurrency
- Taxation
- Hedging
- Private Offerings
- Real Estate Law
- Conflict Minerals
- Emerging Growth Companies
- Investors
- Pay Ratio Disclosure
- Intellectual Property
- Technology
- Whistleblower
- Opportunity Zone
- LIBOR
- Accredited Investors
- Sales Tax
- United States Supreme Court
- Online Trading Platforms
- IPO
- Registration Statement
- Executive Compensation
- Health Care Act
- Annual Reports
- Ohio Foreclosure Reform
- Director Compensation
- Family-Controlled Entities
- Gift and Estate Transfers
- Wall Street Reform
- Board of Directors
- Director Independence
- Clawback Rules
- Total Shareholder Return
- Cyber Insurance
- Data Breach
- Lenders
- Receivership Statute
- Regulation A
- Regulation D
- Compensation Committee Certification
- Government Shutdown
- CDEs
- CDFI Fund
- Community Development Entities
- Community Development Financial Institutions Fund
- New Markets Tax Credit
- NMTC
- NMTC Financing
- Regulation Fair Disclosure
- Social Media
- Benefits
- Healthcare Reform
- Litigation
- Marketing
- Public Company Transition Rules
- Employment Incentives
- HIRE Act
- Social Security Tax
- Tax Credit
Recent Posts
- SEC Provides Sample Guidance on Disclosure of Russia-Ukraine Invasion
- Proposed SEC Climate-Related Disclosure Requirements
- Proposed SEC Cybersecurity Rules
- International Unrest and its Impact on M&A
- The United States Ramps Up Severe Economic Sanctions on Russia and Export Controls
- Revised Ohio LLC Statute
- Beware of ‘Spring-Loaded’ Awards: SEC Issues Updated Accounting Guidance
- SEC Opens Floodgates for ESG Proposals
- NYSE Proposes an Amendment to the Shareholder Voting Requirement
- SEC Charges Pearson plc for Misleading Investors About Cyber Breach and Inadequate Disclosure Controls