On Tuesday, February 20, 2018, the SEC voted unanimously, approving a statement and interpretive guidance to assist public companies in preparing disclosures about cybersecurity risks and incidents. Jay Clayton, SEC Chairman said: “In today’s environment, cybersecurity is critical to the operations of companies and our markets. Companies increasingly rely on and are exposed to digital technology as they conduct their business operations and engage with their customers, business partners, and other constituencies. This reliance on and exposure to our digitally-connected world presents ongoing risks and threats of cybersecurity incidents for all companies, including public companies regulated by the Commission. Public companies must stay focused on these issues and take all required action to inform investors about material cybersecurity risks and incidents in a timely fashion.”
The SEC’s views about public companies’ disclosure obligations under existing law with respect to matters involving cybersecurity risk and incidents are provided within the interpretive guidance. It also addresses the importance of cybersecurity policies and procedures and the application of disclosure controls and procedures, insider trading prohibitions, and Regulation FD and selective disclosure prohibitions in the cybersecurity context.
The interpretive guidance is effective upon publication in the Federal Register. A related press release from the SEC is available at: https://www.sec.gov/news/press-release/2018-22 and a copy of the SEC’s interpretive guidance is available at: https://www.sec.gov/rules/interp/2018/33-10459.pdf.