Cyber attacks are becoming an increasingly vexing problem for consumers, businesses, investors, and capital markets as a whole. In response, the SEC has issued new interpretive guidance relating to public companies’ cybersecurity disclosure obligations under the federal securities laws. This guidance updates a 2011 release, elevates its authority from staff- to Commission-level, and includes new topics about the importance of policies and procedures. Meanwhile, the Division of Enforcement and Office of Compliance Inspections and Examinations are targeting industry risks and incidents and addressing evolving technological solutions. Like many other governmental and private entities, the SEC is subject to these risks itself and is still reeling from a 2016 cyberattack on the SEC’s EDGAR test filing system that enabled a hacker to gain access to nonpublic information.
A new white paper by Amy Leisinger, J.D., legal editor at Wolters Kluwer Legal & Regulatory U.S., offers a thorough look at the guidance and other recent efforts at the SEC to counter and prevent cyber threats.