Latham & Watkins' "5 Key Takeaways on Cybersecurity" is notable for its sensible, bite-size takeaways from the SEC's recently-issued updated cybersecurity disclosure guidance, which may ease companies' compliance mandate.
The firm suggests consideration of these five steps:
- Disclose the board's role in managing cybersecurity risk - Suggestions include proxy disclosure on management's organizational reporting to the board, board cyber expertise, and how the board oversees risk, e.g., full board or designated committee and associated charter.
- Include disclosure review in incident response procedures - Incident response plans should be integrated with disclosure controls, which calls for incident assessment, escalation, and disclosure processes and procedures.
- Mitigate insider trading risks after cybersecurity incidents - Update insider trading and Reg. FD policies to reflect the fact that cyber risks and incidents may be among the types of material inside information that should preclude trading in company stock and selective disclosure, respectively.
- Disclose material incidents promptly - Take note of the SEC's guidance that a pending investigation itself doesn't justify non-disclosure or failing to update disclosures when appropriate.
- Avoid generic disclosure - Tailor disclosures to company-specific business, reputational, and legal cybersecurity risks.