With public companies giving investors more information about cybersecurity risk factors, the director of the Securities and Exchange Commission’s (“SEC”) Division of Corporation Finance believes there is still room for improvement. At a speech last month, William Hinman noted that SEC staff is seeing inconsistencies regarding the quality of cybersecurity disclosures. To resolve the issue, Hinman wants companies to provide more details on how their boards of directors oversee risks and breaches.
Hinman’s remarks come as Corp Fin staffers continue to review companies’ cybersecurity disclosures since the SEC issued Release No. 33-10459, Commission Statement on Guidance and Public Company Cybersecurity Disclosures. Issued in February, the guidance stresses why companies must implement controls for cybersecurity. The guidance also advises companies to establish stock trading policies to prevent officers and directors from violating insider trading rules.
As for the ongoing assessment of cybersecurity disclosures, the review aims to help the staff establish a baseline analysis for considering a wider filing disclosure review program and determine how to provide uniform staff comment letters concerning cybersecurity. Separately, the staff is also reviewing company management’s disclosure controls.