SEC Publishes Guidance on Cybersecurity Breach Disclosures

In the aftermath of the sweeping, infamous breach of Equifax, the SEC has now provided additional clarification to its 2011 cybersecurity guidance with a new ‘interpretive release’.

The US Securities and Exchange Commission (SEC) has provided public companies with an interpretive guidance to assist them in preparing disclosures about cybersecurity risks and incidents.

The interpretive release specifically puts the spotlight on three major facets. Namely:

  • Cybersecurity Policies & Procedures: The SEC is now strongly pushing companies to examine and follow which cybersecurity policies should be specifically adopted by assessing if they have sufficient disclosure reporting controls and processes as a feature. Specifically, the SEC has stressed that senior management at the company should be informed of, and empowered to make, disclosure decisions in matters of cyber risk concerns.

“Controls and procedures should enable companies to identify cybersecurity risks and incidents, assess and analyze their impact on a company’s business, evaluate the significance associated with such risks and incidents, provide for open communications between technical experts and disclosure advisors, and make timely disclosures regarding such risks and incidents,” the SEC wrote.

  1. Cybersecurity-related Insider Trading Controls: The SEC has also called for the Board of Directors to be on alert pertaining to any warning signs on potential insider training due to apparent cybersecurity risk concerns or ahead of any potential disclosures. The Board, the SEC stressed, need to remind other employees and executives not to use their insider knowledge of cyber risk factors to engage in any insider trading. For instance, Equifax’s former CIO Jun Ying was indicted on federal charges for insider trading in transactions prior to the company’s public revelation of their 2017 data breach.
  2. The Board’s Risk Oversight Duties: The SEC has now mandated that the Board of Directors at a public company have a fiduciary duty to look over risk factors, specifically risks that pose any material threat and impact on the company.

“In addition, we believe disclosures regarding a company’s cybersecurity risk management program and how the board of directors engages with management on cybersecurity issues allow investors to assess how a board of directors is discharging its risk oversight responsibility in this increasingly important area,” the SEC added.

Image credit: Pixabay.