Recent high-profile breaches have triggered helpful reminders of companies' cybersecurity disclosure obligations and related controls, policies and procedures best practices (including but not limited to DC&P). In addition to SEC Chair Clayton's Statement on Cybersecurity that included a reminder about Corp Fin's 2011 Disclosure Guidance and his not-to-be-overlooked indication that the SEC would continue to evaluate that guidance in light of the evolving cyber arena (reported on here), as detailed in this week's Society Alert, his testimony earlier this week before the Senate Banking Committee signaled potentially much greater scrutiny of issuers' disclosures about cybersecurity risks and cyber incidents going forward.
In that context, both Cadwalader and Cooley recently recapitulated the expectations and considerations regarding cybersecurity risk and incident disclosure espoused by that principles-based Guidance. To further assist companies in reviewing and re-evaluating their own practices, Cadwalder also identifies particular aspects of the Equifax pre- and post-breach cyber-related disclosures and insider trading activity that it believes are likely to be focused on by the SEC.
While it's too soon to tell whether or how the SEC's expectations may evolve, at a minimum, companies should consider using these recent headline breaches and disclosure snafus as an opportunity to revisit and potentially update their disclosure practices and controls.