Cybersecurity, SEC

SEC Releases Interpretive Guidance on Cybersecurity Risk and Incident Disclosures

On Feb. 22, 2018, the Securities and Exchange Commission (SEC) issued its first interpretive guidance since October 2011 on public companies’ cybersecurity risk and incident disclosure obligations. Although public companies are not subject to an express obligation to disclose data security threats under federal law or SEC regulations, the latest guidance confirms that “companies nonetheless may be obligated to disclose such risks and incidents.”

The purposes of the SEC’s new guidance are threefold:

  1. Reinforce and expand upon the October 2011 guidance;
  2. Address the importance of the adoption of cybersecurity policies and procedures; and
  3. Address insider trading within the context of cybersecurity risk exposure.

Reinforcement and Expansion of Existing Risk and Incident Disclosure Guidance

The SEC’s current and prior guidance regarding cybersecurity risk and incident disclosures is derived from five primary sources of authority, each of which may implicate necessary disclosures independently.  These sources include companies’ registration disclosure obligations under the Securities Act and Securities Exchange Act, including 10-K and 8-K filings.  Public companies also have a general obligation to disclose “such further material information, if any, as may be necessary to make [prior disclosures], in light of the circumstances under which they are made, not misleading.”  Rule 408 of the Securities Act (17 CFR 230.408).

The SEC has further stated:

[W]e recognize that a company may require time to discern the implications of a cybersecurity incident. We also recognize that it may be necessary to cooperate with law enforcement and that ongoing investigation of a cybersecurity incident may affect the scope of disclosure regarding the incident. However, an ongoing internal or external investigation . . . would not on its own provide a basis for avoiding disclosures of a material cybersecurity incident.

Adoption of Cybersecurity Policies and Procedures

In its updated guidance, the SEC is advising public companies to adopt “comprehensive” cybersecurity policies and procedures focused not only on mitigating threats, but also on ensuring adequate internal reporting of threats and incidents so they can be disclosed as necessary. As stated in the guidance, “[a] company’s disclosure controls and procedures should not be limited to disclosure specifically required, but should also ensure timely collection and evaluation of information potentially subject to required disclosure[.]”

In addition, public companies must tailor their cybersecurity policies and procedures to various other aspects of their disclosure-related obligations. This includes requirements for:

  • A company’s CEO and CFO to certify the effectiveness of disclosure controls and procedures under Exchange Act Rules 13a-14 and 15d-14, and
  • Companies to disclose their conclusions regarding the effectiveness of disclosure controls and procedures under Item 307 of Regulation S-K and Item 15(a) of Exchange Act Form 20-F.

Insider Trading Based on Knowledge of Cybersecurity Risks and Incidents

The SEC has also used its new interpretive guidance to remind company insiders of the potential risks of trading while in possession of material nonpublic information about a cybersecurity threat or incident. In the event of a data breach, insiders may have an obligation to refrain from trading in the company’s securities, and the company may also have an obligation to impose restrictions on its officers’, directors’ and other insiders’ securities transactions.

This guidance is material in light of the insider trading charges the SEC recently brought against Equifax’s former chief information officer Jun Ying.  According to the SEC, Ying “allegedly used confidential information entrusted to him by the company to conclude that Equifax had suffered a serious breach.”  Before Equifax publicly disclosed the breach, Ying allegedly exercised all of his vested Equifax stock options and then sold the shares, avoiding more than $117,000 in losses. 

The SEC’s new interpretive guidance on cybersecurity risk and incident disclosures is a worthwhile read for anyone dealing with issues in this realm. It is available on the SEC’s website: Commission Statement and Guidance on Public Company Cybersecurity Disclosures.

Lindsey Frye

About Lindsey Frye

Lindsey Frye regularly represents major financial institutions responding to global government investigations and related civil litigation. Lindsey also frequently advises clients on compliance with regulatory requirements.


No comments yet.

Leave a comment

Your email address will not be published. Required fields are marked *

Welcome to the White Collar Defense, Investigations and Regulatory Advice Blog

As government authorities around the world create a constantly evolving regulatory environment and conduct overlapping investigations, companies are facing perhaps the most challenging environment. Moore & Van Allen has created this blog to help keep our clients up to date in these fast-moving areas and to serve as a thought leader as regulations and enforcement policy continue to develop. Our blog is a combined effort of Moore & Van Allen’s White Collar, Regulatory Defense, and Investigations team and our Financial Regulatory Advice and Response team.

Our Practices

MVA’s White Collar, Regulatory Defense, and Investigations team services clients in some of the most heavily regulated and scrutinized industries in the U.S. and abroad. This team is made up of former government attorneys as well as private practitioners with decades of experience representing Fortune 100 institutions in international inquires in the United States, European Union, United Kingdom, Singapore, Thailand, Hong Kong, Argentina, Brazil, Chile, Uruguay, and Canada.

Our Financial Regulatory Advice and Response Team combines the experience of former general counsels from some of the largest international financial institutions with that of our seasoned regulatory attorneys to advise clients complex multi-regulator environment on a wide variety of complex regulatory compliance matters, including Comprehensive Capital Analysis and Review (CCAR), Recovery and Resolution Planning, Risk Data Aggregation, the Volcker Rule, consumer finance regulations, and bank secrecy and anti-money laundering regulations. Read More About the MVA Investigations and MVA Financial Regulatory Response Practices. Meet Our Investigations and Financial Regulatory Response Teams.

Follow MVA


Subscribe to Blog via Email


No Attorney-Client Relationship Created by Use of this Website: Neither your receipt of information from this website, nor your use of this website to contact Moore & Van Allen or one of its attorneys creates an attorney-client relationship between you and Moore & Van Allen. As a matter of policy, Moore & Van Allen does not accept a new client without first investigating for possible conflicts of interests and obtaining a signed engagement letter. (Moore & Van Allen may, for example, already represent another party involved in your matter.) Accordingly, you should not use this website to provide confidential information about a legal matter of yours to Moore & Van Allen.

No Legal Advice Intended: This website includes information about legal issues and legal developments. Such materials are for informational purposes only and may not reflect the most current legal developments. These informational materials are not intended, and should not be taken, as legal advice on any particular set of facts or circumstances. You should contact an attorney for advice on specific legal problems. (Read All)