TheCorporateCounsel.net

It is important to remember that the SEC’s recent cybersecurity disclosure rulemaking did not supersede or replace all of the Staff and Commission guidance on cybersecurity disclosure, but rather augmented it. While the Commission’s February 2018 guidance regarding timely disclosure of cybersecurity incidents has now been clearly superseded by the adoption of new Item 1.05 of Form 8-K, the rest of the collective Staff and Commission guidance from CF Disclosure Guidance Topic No. 2 and Release No. 33-10459 continues to live on. As a result, when drafting your new risk management, strategy and governance disclosure for your upcoming Form 10-K, it also makes sense to go back and see how you have addressed the topic of cybersecurity in your business description, risk factors, MD&A, legal proceedings and financial statements and assess whether any tune-ups are necessary for your existing disclosure.

With regard to risk factor disclosure in particular, where most companies now have some discussion of cybersecurity risks, it may be necessary to align the disclosure in that section with the new risk management, strategy and governance disclosure when describing the threat environment that the company faces and the steps that the company takes to address those cybersecurity threats.

For more background on the overall disclosure expectations around cybersecurity, be sure to check out our “Cybersecurity” Practice Area. If you are not a member of TheCorporateCounsel.net, sign up today!