In a February 21 Release, the U.S. Securities and Exchange Commission (SEC) announced new interpretive guidance for public companies regarding cybersecurity risk and incident disclosures.
The interpretive guidance reviews existing cybersecurity disclosure regulations, and goes a step further to explain additional disclosures that might be necessary if a company experiences cybersecurity-related incidents or breaches. We believe that this new guidance signals a continuing interest by the SEC in further expanding cybersecurity awareness and compliance.
The new guidance (which expands on the 2011 statement from the SEC’s Division of Corporate Finance, which identified the cybersecurity risk—and consequence—disclosure obligations for public companies) introduces two new areas of focus which had not previously been addressed by the SEC, as follows:
1. Maintaining disclosure controls and public reporting procedures, so that timely and accurate assessments and disclosures can be assessed by senior management.
Specifically, the SEC’s guidance emphasized the need for companies to create internal mechanisms to report cyber risks and incidents to higher levels of management -…
