Abstract
PurposeThe purpose of this paper is to explain the SEC's recent guidance on disclosure obligations related to cybersecurity risks and cyber incidents.Design/methodology/approachThe paper provides an overview of the guidance, including recommended mention of cybersecurity and cyber incident considerations in a company's discussion of risk factors, MD&A, description of business, disclosure of legal proceedings, financial statement disclosures, and disclosure controls and procedures. The paper recommends steps that companies should take in light of the guidance, including a review of cybersecurity practices, cyber disclosure, disclosure controls and procedures, regulation S‐P information security policies and procedures, and other legislative and regulatory proposals relating to cybersecurity.FindingsThe SEC staff guidance clarifies that even though the SEC's existing disclosure rules do not specifically reference cybersecurity, public companies should consider the growing importance of cybersecurity and make appropriate disclosures “consistent with the relevant disclosure considerations that arise in connection with any business risk”.Originality/valueThe paper provides expert guidance by experienced financial services lawyers.
Sign-in/Register to access full text options 
Free) 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
