SEC Corp Fin to Tweak Cybersecurity Guidance

December 15, 2017

David Fredrickson of the Securities and Exchange Commission’s (“SEC”) Division of Corporation Finance (“Corp Fin”) has announced that the SEC will update its 2011 document, Disclosure Guidance: Topic No. 2, Cybersecurity. A refresh of the commission’s cybersecurity interpretive guidance, the update would address investors’ complaints that public companies are not providing timely or informative disclosures regarding cyber-attacks on their computer systems.

Fredrickson, Corp Fin’s chief counsel, noted that the SEC’s staff is considering updates to disclosure controls and procedures, as in how quickly are cybersecurity breaches identified and brought to the attention of senior management for proper disclosure. The commission also wants investors to be better informed about a company’s cybersecurity strategy and policies.

In recent years, investors have been vocal regarding the need for additional details on a company’s cybersecurity. Jay Clayton, the SEC chairman, has told lawmakers that he thinks companies can improve their disclosures concerning risks they face and computer intrusions.

Corp Fin regulators have yet to determine whether the update will be in the form of staff-level guidance or a regulatory release. According to Fredrickson, the Corp Fin staff is more focused on the content of the revised guidance rather than its presentation.