Lillian Brown, Meredith Cross, and Benjamin Powell are partners at Wilmer Cutler Pickering Hale and Dorr LLP. This post is based on a WilmerHale publication by Ms. Brown, Ms. Cross, Mr. Powell, Jonathan Cedarbaum, and Alan Wilson.
On February 21, 2018, the Securities and Exchange Commission (SEC) approved an interpretive release updating guidance on public company disclosure and other obligations concerning cybersecurity matters. The interpretive release, titled “Commission Statement and Guidance on Public Company Cybersecurity Disclosures,” Release No. 33-10459 (Guidance), had been scheduled to be considered at an open meeting on February 21, which was canceled. Much of the Guidance is devoted to reiterating and expanding upon the Division of Corporation Finance’s 2011 CF Disclosure Guidance: Topic No. 2, Cybersecurity, which was issued to assist companies in assessing what disclosures might be required about cybersecurity risks or incidents. WilmerHale discussed the 2011 guidance here. Emphasizing the increasing significance of cybersecurity incidents in recent years, the new Guidance further illustrates potential disclosures that companies should consider and comments on matters beyond disclosure obligations. The Guidance stresses the importance of cybersecurity policies and procedures, and discusses the application of disclosure controls and procedures, insider trading prohibitions, and Regulation FD selective disclosure prohibitions. Recognizing that the cybersecurity landscape continues to shift, Chairman Clayton commented in a separate statement that the Commission “will continue to evaluate developments in this area and consider feedback about whether any further guidance or rules are needed.”