Statement on Cybersecurity Interpretive Guidance

Jay Clayton is Chairman of the U.S. Securities and Exchange Commission. This post is based on Chairman Clayton’s recent remarks concerning the SEC Cybersecurity Interpretive Guidance, available here. The views expressed in this post are those of Mr. Clayton and do not necessarily reflect those of the Securities and Exchange Commission or its staff.

Yesterday [Feb. 20, 2018], the Commission approved the issuance of an interpretive release to provide guidance to public companies when preparing disclosures about cybersecurity risks and incidents. The release also communicates the Commission’s views on the importance of maintaining comprehensive policies and procedures related to cybersecurity risks and incidents.

In today’s environment, cybersecurity is critical to the operations of companies and our markets. Companies increasingly rely on and are exposed to digital technology as they conduct their business operations and engage with their customers, business partners, and other constituencies. This reliance on and exposure to our digitally-connected world presents ongoing risks and threats of cybersecurity incidents for all companies, including public companies regulated by the Commission. Public companies must stay focused on these issues and take all required action to inform investors about material cybersecurity risks and incidents in a timely fashion.

In 2011, the Division of Corporation Finance issued guidance that provided the Division’s views regarding disclosure obligations that relate to cybersecurity risks and incidents. Yesterday, the Commission voted to provide guidance to public companies that reinforces and expands the Division’s prior guidance. The guidance highlights the disclosure requirements under the federal securities laws that public operating companies must pay particular attention to when considering their disclosure obligations with respect to cybersecurity risks and incidents. It also addresses the importance of policies and procedures related to disclosure controls and procedures, insider trading, and selective disclosures. I believe that providing the Commission’s views on these matters will promote clearer and more robust disclosure by companies about cybersecurity risks and incidents, resulting in more complete information being available to investors. In particular, I urge public companies to examine their controls and procedures, with not only their securities law disclosure obligations in mind, but also reputational considerations around sales of securities by executives.

There is no doubt that the cybersecurity landscape and the risks associated with it continue to evolve. I have asked the Division of Corporation Finance to continue to carefully monitor cybersecurity disclosures as part of their selective filing reviews. We will continue to evaluate developments in this area and consider feedback about whether any further guidance or rules are needed.

Trackbacks are closed, but you can post a comment.

Post a Comment

Your email is never published nor shared. Required fields are marked *

*
*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

  • Subscribe or Follow

  • Supported By:

  • Program on Corporate Governance Advisory Board

  • Programs Faculty & Senior Fellows