On February 21, 2018, the US Securities and Exchange Commission (SEC) published interpretive guidance to assist public companies in preparing disclosures about cybersecurity risks and incidents.1 The guidance updates and expands upon CF Disclosure Guidance: Topic No. 22, which was issued by the staff of the SEC’s Division of Corporation Finance (Staff) in 2011. In addition, the guidance addresses the importance of policies and procedures related to cybersecurity. SEC Chairman Jay Clayton noted in a contemporaneous statement that he expects the guidance “will promote clearer and more robust disclosure by companies about cybersecurity risks,” and that as companies implement it, the SEC will consider “whether any further guidance or rules are needed.”3

Continue reading.