On February 21, 2018, the Securities and Exchange Commission (the “Commission”) published interpretive guidance to assist public companies when considering, drafting and issuing disclosure about cybersecurity risks and incidents (the “interpretive guidance”). The interpretive guidance became effective immediately upon issuance.
The Commission’s interpretive guidance reaffirms and expands upon guidance issued by the Division of Corporation Finance in 2011 (the “Division guidance”) relating to the disclosure of cyber-related matters. The interpretive guidance also addresses two additional topics not covered in the Division guidance, specifically that a company’s disclosure controls and procedures need to cover cyber-related matters and that compliance with insider trading prohibitions must take into account cybersecurity incidents. The Commission’s issuance of interpretive guidance underscores the Commission’s increased focus on cybersecurity and follows on the establishment of the Commission’s Cyber Unit in 2017 to target cyber-related misconduct and repeated statements by Chairman Jay Clayton and other Commission officials that cybersecurity is a priority area for the agency.