In the wake of increasing major cyber security incidents—such as the recent Equifax data breach that affected about 140 million U.S. consumers— the Securities and Exchange Commission (SEC) issued its interpretive guidance on cybersecurity disclosures in late February. The guidance was highly anticipated within the business community, which had expected it to affirm and expand the cybersecurity disclosure guidance the staff of the SEC’s Division of Corporate Finance issued in 2011. Almost immediately, however, the guidance slammed into a buzz saw of criticism from the media for failing to institute any major changes the original guidance.
But what it lacks in expansion, it makes up for in affirmation. When rules and guidance such as these are staff-generated, there is a perception that SEC commissioners aren’t bound by those recommendations. With this guidance, the commissioners have now endorsed what the Division of Corporate Finance staff established seven years ago—giving it a sense of permanence.
Shareholder Disclosures
Still, it wouldn’t be fair to say the new guidance lacks any significance. It strongly encourages companies to provide safeguards against insider…
