U.S. S.E.C. Publishes New Guidelines on Disclosure of Cyber-Risks to Investors

The U.S. Securities and Exchange Commission (SEC) has released guidance on Public Company Cybersecurity Disclosures. The guidance provides the Commission’s views about public companies’ disclosure obligations under existing law with respect to matters involving cybersecurity risk and incidents. It also addresses the importance of cybersecurity policies and procedures and the application of disclosure controls and procedures, insider trading prohibitions, and selective disclosure prohibitions in the cybersecurity context.

Among the cybersecurity risks that public companies will be expected to address –

  1. Remediation costs, such as liability for stolen assets or information, repairs of system damage, and incentives to customers or business partners in an effort to maintain relationships after an attack.
  2. Increased cybersecurity protection costs, which may include the costs of making organizational changes, deploying additional personnel and protection technologies, training employees, and engaging third party experts and consultants.
  3. Lost revenues resulting from the unauthorized use of proprietary information or the failure to retain or attract customers following an attack.
  4. Litigation and legal risks, including regulatory actions by state and federal governmental authorities and non-U.S. authorities.
  5. Increased insurance premiums.

Reputational damage that adversely affects customer or investor confidence, damage to the company’s competitiveness, stock price and long-term shareholder value.