Skip to main content

Exit WCAG Theme

Switch to Non-ADA Website

Accessibility Options

Select Text Sizes

Select Text Color

Website Accessibility Information Close Options
Close Menu
Law Office of Clifford J. Hunt, P.A Florida Securities & Business Lawyer
  • Call Today For A Consultation

Guidelines for cybersecurity disclosures from the SEC

On behalf of Law Office of Clifford J. Hunt, P.A. posted in General on Wednesday, April 4, 2018.

The Securities and Exchange Commission unanimously voted to adopt cybersecurity interpretive guidance. Designed to assist public companies in preparing disclosures, the guidelines encourage robust disclosure regarding risks and incidents. In addition to information about lawful disclosure obligations, the guidance addresses the importance of company policies and procedures for cybersecurity threats.

The rise of cyber threats

As companies rely on digital infrastructure to provide financial and investment services, the investing public expects the infrastructure to be reliable and secure. But headline grabbing stories about data breaches continue to plague the digitally connected world.

Cyber attacks include the use of phishing, malware and stolen credentials. The objectives vary but can include the theft or destruction of digital assets and sensitive information. A more heinous goal is to disrupt business operations. Businesses that are victims of successful cyber attacks incur reputational damage and financial costs.

Disclosure obligations

The existing SEC guidance does not address cybersecurity incident disclosure explicitly. However, the guidelines highlight seven areas where disclosure could apply to cybersecurity risks and incidents.

  • Materiality: Companies need to disclose information about the business operations and risk factors. Omission or misleading information is a disclosure violation.

  • Risk factors: Businesses must disclose significant factors that make investments speculative or risky. When deciding what to include companies should consider the severity and frequency of prior cybersecurity incidents and steps taken to reduce cybersecurity risks.

  • Financial condition: Companies must discuss changes in financial condition, including events that would have a material effect on operation results or financial condition. Disclosures related to cybersecurity would include costs of cybersecurity efforts and incidents.

  • Business description: Businesses must disclose cybersecurity incidents that impact products and services or relationships with customers and vendors.

  • Legal proceedings: Companies are required to disclose information about any legal proceedings they, or their subsidiaries, are part of. This includes disclosure of legal proceedings involving cybersecurity issues.

  • Financial statements: Any expenses related to cybersecurity issues should be disclosed. This would include expenses from investigations and remediation, lost revenue and diminished cash flow.

  • Board risk oversight: The guidance requires businesses to disclose a board’s role in risk oversight, including a description about risk oversight administration.

Increased cybersecurity risks threaten our reliance on networked systems. However, clear and willful disclosure is critical. Companies should inform investors about risks and incidents in a timely manner.

Facebook Twitter LinkedIn
By Hunt Law | Posted on April 4, 2018

Protect Your Business

By submitting this form I acknowledge that form submissions via this website do not create an attorney-client relationship, and any information I send is not protected by attorney-client privilege.

Skip footer and go back to main navigation