The SEC issued interpretive guidance intended to help public companies prepare disclosure statements about cybersecurity risks and incidents.
Expanding on guidance provided in 2011, the SEC reminded companies that they should take into account the materiality of cybersecurity risks and incidents when preparing disclosures. Materiality may depend upon the nature and significance of cybersecurity risks or incidents, as well as harm that results from such events. The SEC does not expect companies to disclose information that may expose systems to potential cybersecurity incidents. The SEC further identified important risk factors for companies to consider when preparing their disclosures, including the circumstances of prior incidents, the nature of business operations, the potential for harm and the adequacy and costs of cybersecurity protections. The SEC emphasized that companies are required to disclose both past and ongoing cybersecurity incidents. The SEC also outlined various other rules and requirements that may obligate companies to disclose cybersecurity-related information.
The guidance addresses two new topics: (1) the importance of cybersecurity policies and procedures, and (2) the application of insider trading prohibitions in the cybersecurity context. As it does with other compliance regimes, the SEC expects public companies to maintain comprehensive policies and procedures related to cybersecurity that are assessed regularly. Companies must also implement disclosure controls and procedures to ensure that relevant information about cybersecurity risks and incidents are processed and reported quickly and accurately to senior management. In addition, the SEC warned companies and their insiders to be mindful to comply with insider trading laws in connection with cyber vulnerabilities and breaches. The SEC notes that such information may be material nonpublic information, the trading of which would violate the antifraud provisions. The SEC encourages companies to consider incorporating this warning in their code of ethics and insider trading policies.