In the spirit of full cybersecurity disclosure
This Heads Up discusses the SEC’s recently issued interpretation, Commission Statement and Guidance on Public Company Cybersecurity Disclosures. The interpretation largely refreshes existing SEC staff guidance related to cybersecurity and, like that guidance, does not establish any new disclosure obligations but rather presents the SEC’s views on how its existing rules should be interpreted in connection with cybersecurity threats and incidents.
On February 21, 2018, the SEC issued interpretive guidance (the “release”) in response to the guidance, which will significantly increase the amount of information they should disclose about revenue activities and related transactions. Accordingly, since the standard’s mandatory adoption date has either arrived or is rapidly approaching, companies are sharpening their focus on those disclosure requirements.pervasive increase in digital technology as well as the severity and frequency of cybersecurity threats and incidents. The release largely refreshes existing SEC staff guidance related to cybersecurity and, like that guidance, does not establish any new disclosure obligations but rather presents the SEC’s views on how its existing rules should be interpreted in connection with cybersecurity threats and incidents.
The release will become effective on the date of its publication in the Federal Register. In a public statement about the release, SEC Chairman Jay Clayton noted that he has asked the Division of Corporation Finance to continue to closely monitor cybersecurity disclosures as part of its filing review process and that the SEC will continue to evaluate whether further guidance is needed. In light of the SEC’s focus on cybersecurity matters, companies may want to revisit their disclosures and their disclosure controls and procedures (DCPs), including controls over the sales of securities by executives.
Cyberattacks can vary widely from company to company. They can include the theft of a company’s (or its customers’ or vendors’) financial assets, intellectual property, or sensitive information, the disruption of a company’s operations, or the targeting of entities that operate in industries responsible for critical infrastructure, such as the energy and public utility industries. Costs and consequences of a cybersecurity incident may include remediation expenses, lost revenues, litigation, increased insurance premiums, reputational damage, and erosion of shareholder value.
In 2011, the SEC’s Division of Corporation Finance issued principles-based guidance that provided the SEC’s views on cybersecurity disclosure obligations, including those related to risk factors, MD&A, and the financial statements. The release expands on the concepts discussed in that guidance and concentrates more heavily on cybersecurity policies and controls, most notably those related to cybersecurity escalation procedures and the application of insider trading prohibitions. It also addresses the importance of avoiding selective disclosure as well as considering the role of the board of directors in risk oversight.
The release applies to public operating companies, including foreign private issuers, but does not address the specific implications of cybersecurity for other regulated entities under the federal securities laws, such as registered investment companies, investment advisers, brokers, dealers, exchanges, and self-regulatory organizations.
View the rest of the Heads Up.
Subscribe and Archives
Heads Up newsletters, published as warranted, analyze important accounting developments, such as new FASB and IASB pronouncements or exposure drafts. Concise examples and answers to frequently asked questions assist readers in understanding and implementing the critical guidance.