The SEC Issues Guidance to Public Companies on Cybersecurity Disclosures

Over the past year, the SEC has emphasized that one of the primary areas that the Commission will continue to focus its efforts is cybersecurity.  In a speech given by SEC Chairman Jay Clayton on July 12, 2017, Chairman Clayton stated that “[p]ublic companies have a clear obligation to disclose material information about cyber risks and cyber events.”  On September 20, 2017, Chairman Clayton issued a statement on cybersecurity, discussing disclosure guidance issued by the staff of the Division of Corporation Finance in 2011, and stating that “issuers should consider whether their publicly filed reports adequately disclose information about their risk management governance and cybersecurity risks, in light of developments in their operations and the nature of current and evolving cyber threats.”  Chairman Clayton further provided that the SEC would “continue to evaluate [the 2011] guidance in light of the cybersecurity environment and its impacts on issuers and the capital markets generally.”

In light of the foregoing, on February 21, 2018, the SEC issued an interpretive release providing guidance to public companies concerning preparing disclosures about cybersecurity risks and incidents (the “SEC Release”).  The SEC Release emphasized the importance of having effective “disclosure controls and procedures that provide an appropriate method of discerning the impact that such [cybersecurity] matters may have on the company and its business, financial condition, and results of operations, as well as a protocol to determine the potential materiality of such risks and incidents” and stated that the “development of effective disclosure controls and procedures is best achieved when a company’s directors, officers, and other persons responsible for developing and overseeing such controls and procedures are informed about the cybersecurity risks and incidents that the company has faced or is likely to face.”  Additionally, the SEC Release cautioned against insider trading by directors, officers and other company insiders while in possession of material nonpublic information, including, but not limited to, “knowledge regarding a significant cybersecurity incident experienced by the company.”  The SEC Release can be found here.

About Faruqi & Faruqi, LLP

Faruqi & Faruqi focuses on complex civil litigation, including securities, antitrust, consumer and wage and hour class actions, as well as shareholder derivative suits.  The firm is headquartered in New York, and maintains offices in California, Delaware, Pennsylvania and Georgia.  Since its founding in 1995, Faruqi & Faruqi has served as lead or co-lead counsel in numerous high-profile cases which ultimately provided significant recoveries to investors, consumers, and employees.

To contact the author of this blog or the offices of Faruqi & Faruqi, please call us at (212) 983-9330. 

About Nina Varindani

Nina Varindani is a Partner in Faruqi & Faruqi, LLP’s New York office and focuses her practice on securities litigation and shareholder derivative litigation, representing investors in federal and state class action and derivative lawsuits, books and records demands and litigation demands.  Please feel free to contact Nina regarding any questions concerning this blog post or any questions related to F&F’s practice areas,

                                                                                           ***THIS IS ATTORNEY ADVERTISING***

Disclaimer: The foregoing in no way constitutes legal advice from any attorney or from Faruqi & Faruqi, LLP. The opinions expressed herein are the opinions of attorney Nina Varindani and in no way reflect the opinions of Faruqi & Faruqi, LLP.

Posted by Nina Varindani

Partner at Faruqi & Faruqi, LLP
New York Office
Tel: (212) 983-9330
Fax: (212) 983-9331

Logo Twitter Facebook LinkedIn Google+