United States: Cadwalader Attorneys Review SEC Cybersecurity Disclosure Requirements
Last Updated: September 25 2017

In the wake of the recent Equifax cybersecurity breach, Cadwalader attorneys reviewed SEC policies, procedures and controls on cybersecurity-related disclosures and cybersecurity threats.

In the memorandum, the attorneys reviewed 2011 SEC guidance on cybersecurity risk and incident disclosure requirements for companies in light of their "growing reliance" on digital technologies. In that guidance, the SEC suggested that companies disclose cybersecurity risk if such risk is a significant factor that makes "investment in the company speculative or risky." To make this determination, a company should consider factors such as (i) likelihood of a cybersecurity incident occurring, (ii) potential costs associated with the risk, (iii) prior cybersecurity incidents, and (iv) sufficiency of preventative measures. The SEC encouraged companies to "tailor" disclosures to their "specific cybersecurity risks" and avoid "boilerplate" disclosures. At the same time, the SEC affirmed that companies do not need to disclose risk-related information that would compromise their ability to "defend against cyberattacks."

The attorneys explained that companies may need to make timely disclosure of cyber incidents, such as data breaches, when those incidents have a material effect on the financial condition of the company or materially affect its products, services or customer relationships. The attorneys noted that the SEC has not yet initiated an enforcement action over cybersecurity disclosures, but said that the SEC has investigated companies in connection with breach disclosures.

Due to the significance of the Equifax breach, the attorneys expect that the company will be scrutinized by the SEC over the "adequacy of its pre- and post-breach disclosures of cybersecurity risks." The SEC would likely examine the timeliness of the Equifax disclosure, which occurred 41 days after the company learned of the breach. Equifax also may face scrutiny based on the reported trading activities of several executives who collectively unloaded nearly $2 million in shares after Equifax discovered the breach, but before it was disclosed to the public.

The attorneys said that SEC officials have expressed a commitment to closely monitor compliance with cybersecurity obligations, and asserted that the SEC response to the Equifax breach will shed light on the SEC approach to cybersecurity disclosures.

The Cadwalader memorandum was authored by Peter Carey, Kyle DeYoung, Joseph Facciponti, Joseph Moreno, and Stephen Weiss.

Commentary / Joseph Facciponti

Both the current SEC Chair and Co-Director of Enforcement have recently emphasized the obligations of public companies to disclose material cybersecurity risks and cyber incidents, and have threatened to bring a potential enforcement action against any company that fails to meet those obligations.  Companies at risk of significant cyberattacks should implement a fulsome cybersecurity defense against potential hackers, develop an incident response plan, and ensure that adequate disclosures are made to regulators, customers, and the investing public.

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

In association with
Press Releases from this Firm
Recent Content from this Firm
By Cadwalader, Wickersham & Taft LLP
By Cadwalader, Wickersham & Taft LLP
By Dorothy Mehta
By Cadwalader, Wickersham & Taft LLP
By Robert Zwirb
By Stephen Weiss
By Matthew Lefkowitz, Kendra Wharton, Lex Urban, Dorothy Mehta, Todd Blanche, Kyle DeYoung, Jason Halper
By Cadwalader, Wickersham & Taft LLP
By Cadwalader, Wickersham & Taft LLP
By Jodi Avergun, Bret Campbell
Font Size: