• About
  • Offices
  • Careers
  • News
  • Students
  • Alumni
  • Payments
  • EN | FR
Background Image
Bennett Jones Logo
  • People
  • Expertise
  • Knowledge
  • Search
  • FR Menu
  • Search Mobile
A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
View all
Practices
Corporate Litigation Regulatory Tax View all
Industries
Energy Infrastructure Mining Private Equity & Investment Funds View all
Advisory
Crisis & Risk Management Public Policy
View Client Work
International Experience
Insights News Events Subscribe
Arbitration Angle Artificial Intelligence Insights Business Law Talks Podcast Class Actions: Looking Forward Class Action Quick Takes
Economic Outlook New Energy Economy Series Quarterly Fintech Insights Quarterly M&A Insights Sustainability & the CIO
People
Offices
About
Practices
Industries
Advisory Services
Client Work
Insights
News
Events
Careers
Law Students
Alumni
Payments
Search
Subscribe

Stay informed on the latest business and legal insights and events.

LinkedIn LinkedIn Twitter Twitter Vimeo Vimeo
 
Blog

Updated Guidance on Cybersecurity Disclosures from the SEC

March 05, 2018

Written By Ruth E. Promislow and Katherine Rusk

The U.S. Securities and Exchange Commission (SEC) published updated guidance on February 21, 2018, for how and when public companies should disclose cybersecurity risks and breaches. The SEC explains that the additional guidance is given “in light of the increasing significance of cybersecurity incidents.”

A significant element of the guidance is the requirement to disclose particulars of the extent of board risk oversight. In particular, companies must disclose how the board administers its oversight function and the effect this has on the board’s leadership structure. This requirement underscores the expectation that boards are in fact engaging with management on cybersecurity issues.

In addition to the above, companies are expected to make disclosure relating to cybersecurity. Highlights include the following:

  • Companies must provide timely and ongoing information in periodic reports regarding material cybersecurity risks and incidents that trigger disclosure obligations.
  • Companies are encouraged to make prompt disclosure pertaining to cybersecurity matters.
  • Companies should disclose the risks associated with cybersecurity incidents. It is stated that it would be helpful for companies to consider issues such as the following: occurrence of prior incidents, including their severity and frequency; the probability of the occurrence and potential magnitude of cybersecurity incidents; the adequacy of preventive actions; the aspects of the company’s business; and operations that give rise to material risks.
  • If cybersecurity incidents or risks materially affect a company’s products, services, relationships or competitive conditions, the company must provide appropriate disclosure.
  • Financial impacts of a cybersecurity incident are expected to be incorporated into financial statements.

Companies are encouraged “to adopt comprehensive policies and procedures related to cybersecurity and to assess their compliance regularly, including the sufficiency of their disclosure controls and procedures as they relate to cybersecurity disclosure.”

The guidance further sets out the requirement that public operating companies inform investors about cybersecurity risks and incidents in a timely fashion. This includes companies that have not yet been the target of a cyberattack but are subject to cybersecurity risks. More specifically, with respect to public operating companies, the guidance addresses two topics not developed in the 2011 guidance: required cybersecurity policies and procedures; and the prohibition of trading of a the company's securities by corporate insiders who are in possession of material non-public information related to cyber incidents.

The expanded SEC guidance underscores the inescapable reality that cybersecurity must be front of mind for all businesses, and in particular for directors.

Please note that this publication presents an overview of notable legal trends and related updates. It is intended for informational purposes and not as a replacement for detailed legal advice. If you need guidance tailored to your specific circumstances, please contact one of the authors to explore how we can help you navigate your legal needs.

For permission to republish this or any other publication, contact Amrita Kochhar at kochhara@bennettjones.com.

Download PDF

Author

  • Ruth E. Promislow Ruth E. Promislow, Partner

Related Links

  • Insights
  • Media
  • Subscribe

Recent Posts

Blog

Upending the Ground Rules: Proposed Major Overhaul [...]

May 08, 2025
       

Blog

Government of Alberta Proposes Significant Changes [...]

May 06, 2025
       

Blog

What Does the SPAC IPO Rebound Mean for Cross-Border Deals?

May 05, 2025
       

Blog

Q&A on Protecting Family Enterprises Through Collaborative Family Law

April 29, 2025
       

Blog

CSA Announces Pause on Climate-Related and Diversity-Related [...]

April 28, 2025
       
Bennett Jones Centennial Footer
Bennett Jones Centennial Footer
About
  • Leadership
  • Diversity
  • Community
  • Innovation
  • Security
Offices
  • Calgary
  • Edmonton
  • Montréal
  • Ottawa
  • Toronto
  • Vancouver
  • New York
Connect
  • Insights
  • News
  • Events
  • Careers
  • Students
  • Alumni
Subscribe

Stay informed on the latest business and legal insights and events.

LinkedIn LinkedIn Twitter Twitter Vimeo Vimeo
© Bennett Jones LLP 2025. All rights reserved.
  • Privacy Policy
  • Disclaimer
  • Terms of Use
Logo Bennett Jones