US2018-07: SEC issues interpretive guidance on cybersecurity disclosures
New SEC release provides interpretive guidance for registrants preparing disclosures related to cybersecurity risks and incidents.
- Disclosure Controls and Procedures: Companies should assess whether they have sufficient disclosure controls and procedures in place to ensure that relevant information about cybersecurity risks and incidents is processed and reported to the appropriate personnel to enable senior management to make disclosure decisions and certifications.
- Insider Trading: Policies and procedures should be in place to prevent trading on the basis of material non-public information. Companies should consider restrictions on trading while significant cyber incidents are investigated.
- Risk factors: previous or ongoing incidents, probability of occurrence and potential magnitude, adequacy of preventative actions, and costs to maintain protections
- Description of business: how cybersecurity incidents or risks may materially affect a company's products, services, relationships with customers or suppliers, or competitive conditions
- MD&A: the cost of ongoing cybersecurity efforts (including enhancements to existing efforts), the costs and other consequences of cybersecurity incidents, and the risks of potential cybersecurity incidents
- Legal proceedings: theft of customer information that results in material litigation
- Financial statement disclosures: the range and magnitude of the financial statement implications of a cybersecurity incident
- Board risk oversight: if cybersecurity risks are material to a company's business, the nature of the board's role in overseeing the management of that risk
PwC. All rights reserved. PwC refers to the US member firm or one of its subsidiaries or affiliates, and may sometimes refer to the PwC network. Each member firm is a separate legal entity. Please see www.pwc.com/structure for further details. This content is for general information purposes only, and should not be used as a substitute for consultation with professional advisors.