Adding to the chorus (or cacophony) of regulatory voices on the cybersecurity front, the SEC has recently issued new interpretive guidance concerning cybersecurity-related disclosures that public companies are required to make under federal securities laws.
Not only do public companies have to comply with up to 48 different state laws concerning data breaches and cybersecurity (likely soon to become 50, with Alabama and South Dakota advancing data breach legislation), several federal regulatory schemes, as well as international rules such as GDPR, they also have to be sure their public disclosures are properly aligned with SEC expectations, which have changed given the ever-increasing risks that cyber-attacks pose. However, the SEC’s guidance doesn’t stop at reporting. Rather, the guidance also addresses the importance of maintaining comprehensive policies and procedures relating to cybersecurity risks and incidents, and the interplay between cybersecurity risks and incidents, insider trading, and Regulation FD. There is a special focus in the guidance on incident response and incident-related communications, which can make or break how successful a company is in mitigating breach-related risk. In this regard, incident response is a key capability that all companies, not just public companies, need to develop and exercise, regularly.
This recent SEC guidance only adds to the hyper-complexity of cybersecurity regulation in the U.S., and public companies must familiarize themselves with the guidance, or risk possible SEC comment, or a shareholder suit. For more detail on the guidance, see the update from our Securities and Capital Markets and Privacy and Data Security team here.