Photo of Njeri Chasseau

Last week, the Securities and Exchange Commission (SEC) unanimously adopted new cybersecurity guidance aimed at assisting public companies in their preparation of cybersecurity risk and incident disclosures. In its new Statement and Interpretive Guidance on Public Company Cybersecurity Disclosures, the SEC is aiming to apply lessons learned from the many major data security incidents that have occurred since the Commission first issued cybersecurity guidance in 2011. The 2011 Guidance was some of the first of its kind as almost no guidance relating to disclosure requirements and cybersecurity issues existed at the time. The updated Guidance serves to provide the SEC’s views on public companies’ disclosure obligations as they relate to data breaches and other cybersecurity incidents.

The new Guidance encourages public companies to be transparent and disclose any potential cybersecurity risks before breaches or attacks occur. To make such pre-breach risk disclosure possible, the Guidance suggests that companies develop robust cybersecurity risk assessment policies. The Guidance also cautions companies to prevent executives or other insiders from trading company shares during the internal investigation of a data security incident or before such information is made available to the public. This prohibition on trading is specifically directed to curb behaviors such as those evident during one 2017 date breach involving a major credit-reporting agency.Continue Reading Guiding light: SEC adopts updated cybersecurity guidance

Earlier in February, the Executive Office of Management and Budget (“OMB”) issued Memorandum M-17-12 to federal agencies to set out guidelines and procedures for preparing for or responding to a breach involving the release of personally identifiable information (“PII”). The OMB’s suggested framework specifically aims to “[assess] and mitigate the risk of harm to individuals potentially affected by a breach,” and to provide “guidance on whether and how to provide notification and services to those individuals.” The implementation of common federal agency standards and processes is oriented to not only streamline the way agencies deal with the release of PII, but to also ensure that the federal government is capable of handling data breaches in an effective and efficient manner.

Among the more notable requirements in the guidelines are those imposed on federal contractors who collect or maintain federal information, or who use or operate information systems on behalf of a federal agency. The OMB outlines terms for agencies to incorporate into federal contracts and cooperative agreements, including requiring that contractors and subcontractors:
Continue Reading OMB Federal Agency Data Breach Guidelines – Considerations for Industry