Written by wordpress627 on March 1, 2018



Last week, the SEC provided new clarity about the disclosure requirements of both cybersecurity threats and cybersecurity events (hacks), as well as addressing the controls that issuers should put in place to disclose a requirements event.

The SEC’s guidance regarding when disclosure is required focuses on the materiality of a particular cybersecurity risk or breach. Materiality is the standard that almost always guides an issuer’s disclosure obligations. In a very RegFD manner, the Commission considers cybersecurity information to be material when:

  • There is a substantial likelihood that a reasonable investor would consider the information important in making an investment decision
  • A reasonable investor would have viewed the omitted information as having “significantly altered the total mix of information available”

The SEC underscored that the guidance applies not just to actual cybersecurity threats and cybersecurity events (hacks), but also to the material risk of a future cybersecurity event. The Commission also stated that an issuer’s need to make a disclosure must be analyzed on a case-by-case basis, depending on the nature, extent and potential magnitude of the cybersecurity risk or breach.

In assessing whether disclosure is required, a company should consider the range of damage that an incident could cause, including to a company’s reputation, brand, financial performance, and customer or vendor relationships, along with the possibility of litigation or other regulatory actions.

The obligation to disclose is not limited just to to periodic reports such as 10-Ks or 10-Qs, but also as a current report in an 8-K or 6-K. Edgar Agents’ fast turns can be essential here.

Putting a colder tone on their guidance, the SEC warned publicly traded companies’ executives against trading on inside information regarding a cyber-incident. This will be obvious monitored with Section 16 filings.