New Disclosure and Cybersecurity Guidance from the SEC

Adding to the chorus (or cacophony) of regulatory voices on the cybersecurity front, the SEC has recently issued new interpretive guidance concerning cybersecurity-related disclosures that public companies are required to make under federal securities laws.

Not only do public companies have to comply with up to 48 different state laws concerning data breaches and cybersecurity (likely soon to become 50, with Alabama and South Dakota advancing data breach legislation), several federal regulatory schemes, as well as international rules such as GDPR, they also have to be sure their public disclosures are properly aligned with SEC expectations, which have changed given the ever-increasing risks that cyber-attacks pose.  However, the SEC’s guidance doesn’t stop at reporting.  Rather, the guidance also addresses the importance of maintaining comprehensive policies and procedures relating to cybersecurity risks and incidents, and the interplay between cybersecurity risks and incidents, insider trading, and Regulation FD.  There is a special focus in the guidance on incident response and incident-related communications, which can make or break how successful a company is in mitigating breach-related risk.  In this regard, incident response is a key capability that all companies, not just public companies, need to develop and exercise, regularly.

This recent SEC guidance only adds to the hyper-complexity of cybersecurity regulation in the U.S., and public companies must familiarize themselves with the guidance, or risk possible SEC comment, or a shareholder suit.  For more detail on the guidance, see the update from our Securities and Capital Markets and Privacy and Data Security team here.

Former Equifax Chief Information Officer Charged w...
NYS DFS Part 500 E-mails Have Some Confused

Disclaimer

This website presents only general information not intended as legal advice. Although we encourage calls, letters and emails from prospective clients, please keep in mind that merely contacting Harter Secrest & Emery LLP (HSE) does not establish an attorney-client relationship between us. Confidential information should not be sent to HSE until you have been notified in writing by HSE that a formal attorney-client relationship has been established. Information sent to us before then may not be treated as confidential by HSE or the court.

I have read this and agree     Cancel