As data security breaches and privacy protection become a greater financial concern for companies, so do they for those companies’ investors. The Securities and Exchange Commission is following suit by taking a closer look at companies’ cybersecurity issues.
In new guidance released Feb. 21, the SEC detailed its view on how public companies should disclose their cybersecurity incidents and risks in their filings. While the interpretive guidance mostly expands on the SEC’s existing expectations regarding such disclosures, it touches on new areas such as how cybersecurity intersects with insider trading.
The release builds on the SEC Division of Corporate Finance’s October 2011 cybersecurity guidance. In that document, the commission described “specific disclosure obligations that might require a discussion of cybersecurity risks and cyber incidents” under Regulation S-K, a U.S. Securities Act regulation that dictates reporting requirements for public filings. These included disclosing risk factors such as the probability the company might fall victim to certain types of data security incidents and what costs it might likely incur as a result.
The February guidance goes further by offering specific examples of information the comission encourages companies to disclose. While the February release doesn’t signal a major shift from the 2011 document, companies would do well to review the guidance, securities lawyers say.