In a prior client alert, we stated that “In light of evolving rules and jurisprudence concerning public companies’ duties around a data breach or other cyber incident, the board should work with professional service providers, such as its counsel, to perform a thorough review of the company’s cybersecurity policies, processes, vulnerabilities and protections.”
On February 21, 2018, the SEC released its “Commission Statement and Guidance on Public Company Cybersecurity Disclosures” in which, among other things, it affirms the need for board oversight of cybersecurity risks.
According to the statement, SEC regulations “require a company to disclose the extent of its board of directors’ role in the risk oversight of the company, such as how the board administers its oversight function and the effect this has on the board’s leadership structure.” The Commission has previously said that “disclosure about the board’s involvement in the oversight of the risk management process should provide important information to investors about how a company perceives the role of its board and the relationship between the board and senior management in managing the…
