Blogs

SEC Chair Clayton Reminds Issuers of Cyber Disclosure Responsibilities

By Randi Morrison posted 09-21-2017 09:12 AM

  
In a wide-ranging Statement on Cybersecurity issued yesterday that outlined the SEC's approach to cybersecurity - both in its capacity as a vulnerable hack target, as well as a regulator with disclosure compliance, supervisory/oversight and enforcement responsibilities - SEC Chair Jay Clayton reminded issuers of their disclosure obligations:

Promoting effective public company disclosures



With respect to U.S. public company issuers, the SEC's primary regulatory role is disclosure based.  To that end, the staff of the Division of Corporation Finance has issued disclosure guidance to help public companies consider how issues related to cybersecurity should be disclosed in their public reports.

The staff guidance discusses, among other things, cybersecurity considerations relevant to a company's risk factors, management's discussion and analysis of financial condition and results of operations ("MD&A"), description of business, discussion of legal proceedings, financial statements, and disclosure controls and procedures.  The staff guidance is principles based and, while issued in 2011, remains relevant today.  Accordingly, issuers should consider whether their publicly filed reports adequately disclose information about their risk management governance and cybersecurity risks, in light of developments in their operations and the nature of current and evolving cyber threats.  The Commission also will continue to evaluate this guidance in light of the cybersecurity environment and its impacts on issuers and the capital markets generally.

He also noted that issuers' failure to "take their periodic and current disclosure obligations regarding cybersecurity risks seriously" may result in an SEC enforcement action.

As reported in last week's Society Alert ("Consider These SEC-Noted Elements of Robust Cybersecurity Programs" in Company Resources here), Chair Clayton and his staff have repeatedly emphasized the SEC's focus on cybersecurity enforcement and appropriate disclosure as among its top priorities.

          See also the SEC's release, Commissioner Piwowar's Statement, and these articles from Bloomberg: "Hackers May Have Profited From SEC Corporate Filing System Attack," Reuters: "U.S. SEC says hackers may have traded using stolen insider information," and Business Insurance: "Homeland Security found SEC had ‘critical’ cyber weaknesses in January."

          Watch for additional disclosure-related guidance in next week's Society Alert, and access our robust Cybersecurity resources here
0 comments
338 views

Related Content

Permalink

https://www.societycorpgov.org/blogs/randi-morrison/2017/09/21/sec-chair-clayton-reminds-issuers-of-cyber-disclosure-responsibilities