In February 2018, the SEC issued Interpretive Release No. 33-1049 (Commission Statement and Guidance on Public Company Cybersecurity Disclosures), which provides interpretive guidance on disclosure requirements under the securities laws in relation to cybersecurity risks and incidents. Due to the significant increase and cost of cybersecurity incidents, the SEC believes it is critical that public companies inform investors about material cybersecurity risks and incidents in a timely manner.
Public companies should consider the materiality of cybersecurity risks and incidents when preparing the required disclosures under the Securities Act of 1933 and the Securities Exchange Act of 1934. Although disclosure requirements under these acts do not specifically refer to cybersecurity risks and incidents, certain requirements do impose an obligation to disclose such risks and incidents depending on a public company’s specific circumstances.
Areas where public companies should consider disclosures related to cybersecurity risks and incidents include:
* Risk Factors
* MD&A of Financial Condition and Results of Operations
* Description of Business
* Legal Proceedings
* Financial Statement Disclosures
* Board Risk Oversight
The SEC also encourages companies to adopt comprehensive policies and procedures related to cybersecurity and to regularly assess the sufficiency of their disclosure controls and procedures related to cybersecurity disclosures. Such controls and procedures should allow public companies to identify cybersecurity risks and incidents, assess and analyze their impact on the company’s business, evaluate the significance of the associated risks and incidents, and make timely disclosures of such risks and incidents.