SEC Releases Updated Public Company Cybersecurity Disclosure Guidance

April 12, 2018

The U.S. Securities and Exchange Commission (SEC) in February released a “Commission Statement and Guidance on Public Company Cybersecurity Disclosures” to help public companies understand their obligations to disclose cybersecurity risks and incidents.

According to SEC Chair Jay Clayton, the new guidance interpretation “reinforces and expands” the SEC Division of Corporation Finance’s 2011 “CF Disclosure Guidance: Topic No. 2 - Cybersecurity.”

“I believe that providing the Commission’s views on these matters will promote clearer and more robust disclosure by companies about cybersecurity risks and incidents, resulting in more complete information being available to investors,” Clayton said in a statement. “In particular, I urge public companies to examine their controls and procedures, with not only their securities law disclosure obligations in mind, but also reputational considerations around sales of securities by executives.”

The new guidance does two things:

  1. discusses the importance of maintaining robust cybersecurity policies and procedures to ensure a company’s ability to make accurate and timely disclosures
  2. makes clear that trading by company personnel ahead of the disclosure of a cybersecurity incident can constitute illegal insider trading for which public companies should adopt safeguards

“It is safe to assume these areas of concern will be focuses of SEC scrutiny going forward, and they provide important clues about the circumstances under which the SEC might bring enforcement actions,” the law firm K&L Gates wrote in a client alert. “Therefore, public companies would be wise to carefully review their cybersecurity policies, procedures, and disclosures to ensure compliance with the new guidance.

The guidance says that certain rules under the Securities Exchange Act of 1934 require

  1. public companies to maintain disclosure controls and procedures
  2. management to evaluate the effectiveness of those controls and procedures, and
  3. certifications by a company’s principal executive and principal financial officers regarding the design and effectiveness of those controls and procedures.

The new guidance emphasizes that timeliness in discovering material information is critical to effective disclosure. Accordingly, the new guidance suggests that:

companies should consider whether such controls and procedures will appropriately record, process, summarize, and report the information related to cybersecurity risks and incidents that is required to be disclosed in filings. Controls and procedures should enable companies to identify cybersecurity risks and incidents, assess and analyze their impact on a company’s business, evaluate the significance associated with such risks and incidents, provide for open communications between technical experts and disclosure advisors, and make timely disclosures regarding such risks and incidents.

“In today’s environment, cybersecurity is critical to the operations of companies and our markets,” Clayton said. “Companies increasingly rely on and are exposed to digital technology as they conduct their business operations and engage with their customers, business partners, and other constituencies. This reliance on and exposure to our digitally-connected world presents ongoing risks and threats of cybersecurity incidents for all companies, including public companies regulated by the Commission.  Public companies must stay focused on these issues and take all required action to inform investors about material cybersecurity risks and incidents in a timely fashion.” 


Contact ALTA at 202-296-3671 or