SEC Guidance on Cybersecurity Disclosures

Thumbnail image for Thumbnail image for Thumbnail image for iStock_Lock.jpgBy Kevin Boyle and Kee-Min Ngiam

The SEC's Staff of the Division of Corporation Finance recently issued guidance to help clarify public reporting companies' disclosure obligations in the area of cybersecurity risks and cyber incidents. The guidance, which does not change existing disclosure obligations for public companies, should help company officers responsible for security, privacy, or securities compliance, as well as securities law practitioners, better understand the Staff's expectations on disclosure in this area. Our recent Client Alert reviews the guidance in greater detail. Here, we highlight a few points worth noting:

  • Cyber incidents that may need to be disclosed include not just targeted attacks or security breaches, but may include security lapses or systems failures;
  • Cybersecurity can implicate disclosure obligations not only in a company's risk factors, but also its MD&A, description of business, legal proceedings, financial statements, and disclosure controls and procedures; and
  • Compliance with its disclosure obligations does not require a public company to provide detailed information that might compromise its cybersecurity, only such information that would help investors appreciate the risks involved.

The ever-increasing importance of technology for most companies brings with it increased cybersecurity risks and the potential for a material cyber incident. Public awareness of cybersecurity issues is also growing--politicians and regulators have held hearings or commenced investigations into recent cyber incidents involving some large companies, and the plaintiffs' bar has not been idle either. Public reporting companies can expect the scrutiny to increase. Close cooperation between the technology and legal functions in identifying and responding to reportable events is required.

No comments yet

Start the discussion by using the form below

Post a comment

Fill out this form to add a comment to the discussion
I'd like to leave a comment. is

The purpose of this communication is to foster an open dialogue and not to establish firm policies or best practices. Needless to say, this is not a substitute for legal advice or reading the rules and regulations we have summarized. In any particular case, you should consult with lawyers at the firm with the most experience on the topic. Depending on your specific situation, answers other than those outlined in this blog may be appropriate. Your use of this blog site alone creates no attorney client relationship between you and Latham & Watkins. Do not include confidential information in comments or other feedback or messages left on the Global Privacy & Security Compliance Law Blog, as these are neither confidential nor secure methods of communicating with attorneys.