On February 21, 2018, the U.S. Securities and Exchange Commission approved the release of Interpretive Guidance relating to public company disclosures of cybersecurity risks and incidents. This guidance replaces staff guidance from the Division of Corporate Finance issued way back in October 2011 – on the same day that iPhone 4 was released.
Although the Commission voted unanimously to release it, some Commissioners do not view the new guidance as going much beyond the 2011 staff guidance. In fact, Commissioner Kara Stein wondered whether the new guidance would cause public companies to step up their cybersecurity disclosures – or “will law firms simply produce a host of client alerts reaffirming their alerts from years past.” We sense a challenge.
In a number of respects, this new guidance does mirror, or simply amplifies, the prior staff guidance. That is to be expected, though, because there was much in the prior guidance that remains accurate and useful in analyzing securities-related issues arising from cybersecurity risks and incidents. In other respects, the new guidance addresses issues that have come into sharper focus since 2011.
The…
