August 9, 2022

Volume XII, Number 221

Advertisement
Advertisement

August 09, 2022

Subscribe to Latest Legal News and Analysis

August 08, 2022

Subscribe to Latest Legal News and Analysis

Cybersecurity Disclosure: A Panel Discussion with the SEC’s Division of Corporation Finance

Last week in Washington, D.C., this author had the opportunity to sit in on a panel discussion by the SEC’s Division of Corporation Finance (“CorpFin”) discussing, among other things, recent developments in cybersecurity disclosure in public company filings.  The panel included CorpFin’s Acting Director Lona Nallengara, Deputy Director of Disclosure Operations Shelley Parratt and others from CorpFin.

One question asked of the panel was whether companies are actually listening to the SEC Guidance issued in late 2011.  The panel acknowledged that it has seen improvement in public company disclosure related to cybersecurity (consistent with what we previously reported here), and that the 2011 guidance is still very relevant.  The panel disclosed that the SEC has issued cybersecurity comments to approximately 50 public companies since issuing its guidance.  Specifically, the panel outlined the three major types of cybersecurity comments that the SEC has issued:

1)     Disclose Specific Cybersecurity Breaches Although public companies are beginning to include greater disclosure related to how data breaches could occur, the SEC has issued comments requesting that companies disclose whether data breaches have actually occurred and how the company has responded to such breaches.

2)     Cybersecurity Risks Should Stand Alone:  Often public companies include cybersecurity risks mixed in with other unrelated risk factors, such as risks of terrorist attacks or natural disasters.  The SEC has commented that cybersecurity risks should be broken out separately and stand alone because of the distinct differences between the risk of cybersecurity attacks and the risk of other types of disasters or attacks.

3)     All Material Breaches Should Be Disclosed In some cases, a public company has suffered a cybersecurity attack, but has failed to disclose such attack in its public filings.  The SEC has issued comments requesting additional information regarding why the public company does not believe the attack is sufficiently material to warrant disclosure, and if such attack is material, then the SEC has requested that the company include the relevant disclosure in its public filings.

Aside from these three main areas, the panel explained that the SEC is interested in greater disclosure regarding the source of cybersecurity attacks that have occurred, e.g., whether the attack is from a competitor, a foreign government or a hacker group.  The SEC is also interested in instances in which the company was initially unaware of a data breach, but a third-party brought it to the company’s attention.  In these cases, the SEC may request disclosure regarding why the company was initially unaware of the breach.  The panel hinted that the SEC will issue comments this year related to these additional areas of interest.

Notably, the panel cautioned that a public company’s board of directors has oversight responsibility when it comes to cybersecurity, and that federal agencies other than the SEC are also focused on cybersecurity issues.

Based on CorpFin’s panel discussion, it appears that increased cybersecurity disclosure is not just the flavor of the month for the SEC.  Public companies should be proactive in their disclosure of cybersecurity risks and incidents to avoid receiving a comment from the SEC.  Companies should remember that the board of directors has an affirmative responsibility to ensure that the company has adequate cybersecurity protection, procedures and public disclosure in its filings.  Keep an eye out this year for new SEC comments related to the SEC’s additional areas of interest mentioned above.

©1994-2022 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C. All Rights Reserved.National Law Review, Volume III, Number 101
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement

About this Author

Cynthia Larose Privacy Attorney Mintz Levin
Chair, Privacy & Cybersecurity Practice

Cynthia is a highly regarded authority in the privacy and security field and a Certified Information Privacy Professional (CIPP). She handles the full range of data security issues for companies of all sizes, from start-ups to major corporations. Cynthia is masterful at conducting privacy audits; crafting procedures to protect data; advising clients on state, federal, and international laws and regulations on information use and data security; helping organizations respond to breaches; and planning data transfers associated with corporate transactions. She is an in-...

617-348-1732
Advertisement
Advertisement
Advertisement