SEC Issues Guidance on Cybersecurity Risk and Incident Disclosures
March 15, 2018
On February 21, 2018, the SEC issued guidance to assist public companies in preparing timely disclosures about cybersecurity risks and incidents. The significant portions of the guidance are:
- A company’s requirement to establish and maintain appropriate and effective disclosure controls and procedures that enable them to make accurate and timely disclosures of material events, including those related to cybersecurity.
- The company’s obligation to refrain from making selective disclosures of material, nonpublic information about cybersecurity risks or incidents.
- The duty of companies to inform investors about material cybersecurity risks and incidents in a timely fashion, including those companies that are subject to material cybersecurity risks but may not yet have been the target of a cyber attack.
- The requirement that corporate insiders must not trade a public company’s securities while in possession of material nonpublic information of a cybersecurity incident.
In order for public companies to better respond to a cybersecurity incident and to ensure compliance with the SEC guidance, companies should:
- Confirm their cybersecurity incident response plan includes appropriate notification procedures.
- Prepare a notification procedure to inform all officers, directors or significant stakeholders about the cessation of trading of corporate securities in the event of a cybersecurity incident.
- Develop a cybersecurity incident response plan to address all internal and external communications.
- Remind all company employees and stakeholders to refrain from publically disclosing nonpublic information about a cybersecurity incident.
It is critical that your business advisor has deep and broad experience preparing and reviewing cybersecurity incident response plans as well as with cybersecurity compliance.