The SEC has issued cybersecurity guidance that directs public companies to adopt effective disclosure controls and procedures and overhaul their disclosure about incidents and threats. The SEC believes that public companies should adopt and implement cybersecurity risk management policies and procedures that ensure timely disclosure, internal reporting, processing of risks and incidents, and prevention of insider trading. The SEC also admonishes public companies to review all public disclosures including the materiality of incidents and security, risk factors, MD&A disclosure, business description, legal proceedings, financial statements, and board risk oversight. Firms should also consider disclosing past incidents “in order to place discussions of these risks in the appropriate context.” The SEC believes that “the importance of data management and technology to business is analogous to the importance of electricity and other forms of power in the past century.” The SEC said that it will be reviewing cybersecurity disclosures.
OUR TAKE: We expect institutional investors will add similar cybersecurity inquiries into their Operational Due Diligence processes before choosing an investment firm. So, even if you do not work for a public company, you should consider implementing the SEC’s recommendations.