In 2011, the SEC staff issued guidance regarding disclosure obligations relating to cybersecurity risks and incidents, which indicated that, although no existing disclosure requirement explicitly refers to cybersecurity risks and cyber incidents, companies nonetheless may be obligated to disclose such risks and incidents. After issuing that guidance, the SEC noted that many companies included additional cybersecurity disclosure, typically in the form of risk factors.
Today, in light of the increasing significance of cybersecurity incidents, the SEC published a press release and additional Commission-level guidance, which reinforces and expands upon the SEC staff guidance provided in 2011 and addresses two additional topics:
- The importance of establishing and maintaining appropriate and effective disclosure controls and procedures to make accurate and timely disclosures of material cybersecurity events.
- The application of insider trading prohibitions in the cybersecurity context, including the obligation to refrain from making selective disclosures of material nonpublic information about cybersecurity risks or incidents.