Commissioners, Industry Point to Limits in Latest SEC Cyber Security Guidance

The SEC recently published additional guidance to public companies on preparing policies and procedures and providing disclosures about cybersecurity risks and incidents. The guidance also urges companies to disclose the extent of boards of directors’ role in risk oversight and to include in disclosures the nature of their board’s role in overseeing the management of cybersecurity risk. The new guidance was hailed for addressing emerging risks, including ransomware, phishing and DDOS attacks. Industry participants also welcomed the guidance’s attention to insider trading risk linked to undisclosed cybersecurity issues.Commentators note, however, that the guidance still may not go far enough. An article in risk management publication CSO observes that the SEC’s recommendations include no consequences for firms who fail to follow them. The article points out that, in contrast, several states have enacted breach notification laws that have significant enforcement power behind them. Commissioners Kara Stein and Robert Jackson have also criticized the guidance for not going far enough, with Stein saying that it merely reiterates the SEC’s guidance issued in 2011 and could have helped companies formulate more meaningful disclosure for investors, among other things.