Last week, the Securities and Exchange Commission (SEC) unanimously adopted new cybersecurity guidance aimed at assisting public companies in their preparation of cybersecurity risk and incident disclosures. In its new Statement and Interpretive Guidance on Public Company Cybersecurity Disclosures, the SEC is aiming to apply lessons learned from the many major data security incidents that have occurred since the Commission first issued cybersecurity guidance in 2011. The 2011 Guidance was some of the first of its kind as almost no guidance relating to disclosure requirements and cybersecurity issues existed at the time. The updated Guidance serves to provide the SEC’s views on public companies’ disclosure obligations as they relate to data breaches and other cybersecurity incidents.
The new Guidance encourages public companies to be transparent and disclose any potential cybersecurity risks before breaches or attacks occur. To make such pre-breach risk disclosure possible, the Guidance suggests that companies develop robust cybersecurity risk assessment policies. The Guidance also cautions companies to prevent executives or other insiders from trading company shares during the internal investigation of a data security incident or before such information is made available to the public. This prohibition on trading is specifically directed to curb behaviors such as those evident during one 2017 date breach involving a major credit-reporting agency.