SEC Adopts Statement and Interpretive Guidance on Public Company Cybersecurity Disclosures

The SEC voted to approve a statement and interpretive guidance to assist public companies in preparing disclosures about cybersecurity risks and incidents.

“I believe that providing the commission’s views on these matters will promote clearer and more robust disclosure by companies about cybersecurity risks and incidents, resulting in more complete information being available to investors,” says SEC chairman Jay Clayton. “In particular, I urge public companies to examine their controls and procedures, with not only their securities law disclosure obligations in mind, but also reputational considerations around sales of securities by executives.”

The guidance provides the commission’s views about public companies’ disclosure obligations under existing law with respect to matters involving cybersecurity risk and incidents. It also addresses the importance of cybersecurity policies and procedures and the application of disclosure controls and procedures, insider trading prohibitions, and regulation fair disclosure and selective disclosure prohibitions in the cybersecurity context.