Late last month, the Securities and Exchange Commission (the "SEC") published updated interpretive guidance (the "Guidance") in order to assist public companies in preparing disclosures about cybersecurity risks and incidents. According to the SEC, the Guidance's role is to outline its views with respect to cybersecurity disclosure requirements under the federal securities laws as they apply to public operating companies. The SEC previously published cybersecurity guidance in 2011, and with this update, addressed two topics not previously addressed.

First, the Guidance stresses the importance of public companies maintaining comprehensive policies and procedures related to cybersecurity risks and incidents. According to the SEC, cybersecurity risk management policies and procedures are key elements of enterprise wide risk management, including as it relates to compliance with the federal securities laws. The SEC "encourages" companies to adopt comprehensive policies and procedures related to cybersecurity and to asses their compliance regularly, including the sufficiency of its disclosure controls and procedures as they relate to cybersecurity disclosure. Companies also "should assess whether they have sufficient disclosure controls and procedures in place to ensure that relevant information about cybersecurity risks and incidents is processed and reported to the appropriate personnel, including up the corporate ladder, to enable senior management to make disclosure decisions and certifications and to facilitate policies and procedures designed to prohibit directors, officers, and other corporate insiders from trading on the basis of material nonpublic information about cybersecurity risks and incidents."

Second, the SEC addressed insider trading, noting companies and their directors, officers, and other corporate insiders should be mindful of complying with the laws related to insider trading in connection with information about cybersecurity risks and incidents, including vulnerabilities and breaches. Specifically, the Guidance states that information about a company's cybersecurity risks and incidents may be material nonpublic information, and directors, officers, and other corporate insiders would violate the antifraud provisions if they trade the company's securities in breach of their duty of trust or confidence while in possession of that material nonpublic information.

In addition, the SEC Guidance reiterated that companies should consider the materiality of cybersecurity risks and incidents when preparing the disclosures that are required in registration statements under the Securities Act of 1933 and the Securities Exchange Act of 1934, and periodic and current reports under the Exchange Act. Specifically, the SEC addressed the following types of disclosures:

Risk Factors

Item 503(c) of Regulation S-K and Item 3.D of Form 20-F require companies to disclose the most significant factors that make investments in the company's securities speculative or risky. Companies should disclose the risks associated with cybersecurity and cybersecurity incidents if these risks are among such factors, including risks that arise in connection with acquisitions. The Guidance sets forth a list of potential risk factors for companies to evaluate.

MD&A of Financial Condition and Results of Operations

Item 303 of Regulation S-K and Item 5 of Form 20-F require a company to discuss its financial condition, changes in financial condition, and results of operations. The cost of ongoing cybersecurity efforts, the costs and other consequences of cybersecurity incidents, and the risks of potential cybersecurity incidents, among other matters, could inform a company's analysis.

Description of Business

Item 101 of Regulation S-K and Item 4.B of Form 20-F require companies to discuss their products, services, relationships with customers and suppliers, and competitive conditions. If cybersecurity incidents or risks materially affect a company in those areas, the company must provide appropriate disclosure.

Legal Proceedings

Item 103 of Regulation S-K requires companies to disclose information relating to material pending legal proceedings to which they or their subsidiaries are a party. Companies should note that this requirement includes any such proceedings that relate to cybersecurity issues.

Financial Statement Disclosures

Cybersecurity incidents and the risks that result therefrom may affect a company's financial statements.

Board Risk Oversight

Item 407(h) of Regulation S-K and Item 7 of Schedule 14A require a company to disclose the extent of its board of directors' role in the risk oversight of the company, such as how the board administers its oversight function and the effect this has on the board's leadership structure. A company must include a description of how the board administers its risk oversight function. To the extent cybersecurity risks are material to a company's business, we believe this discussion should include the nature of the board's role in overseeing the management of that risk.

Companies subject to SEC oversight are encouraged to review the guidance and discuss any potential questions with counsel.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.