• About
  • Events
  • Offices
  • Careers
  • Students
  • Media
Background Image
Bennett Jones
  • People
  • Services
  • Experience
  • Insights
Search By:
 
Find a Person
A B C D E F G H I J K L M N O P Q R S T U V W X Y Z all
People
Services
Experience
Insights
Offices
About
Media
Search
Aboriginal Law
Accountant Liability Litigation
Agribusiness, Food & Beverage
Anti-Spam Law
Appellate Advocacy & Judicial Review
Arbitration
Asset/Equipment Finance & Leasing
Aviation
Banks & Financial Institutions
Bermuda & Caribbean
Biotech, Pharma & Lifesciences
Cannabis Law
China
Class Action Litigation
Climate Change
Commercial Litigation
Commercial Real Estate
Commercial Transactions
Competition/Antitrust
Constitutional Law
Construction
Corporate Finance
Corporate Governance
Cybersecurity
Defamation
Defence & Security
Employment Services
Energy
Energy Litigation
Environmental Law
Estate Litigation
Financial Services
Fintech & Blockchain
Forestry
Franchising
Fraud Law
Gaming & Hospitality
Governmental Affairs & Public Policy
Health Law
India
Infrastructure & Project Development
Intellectual Property Law
Intellectual Property Litigation
International Arbitration
International Trade & Investment
IT & Business Services
Mergers & Acquisitions
Middle East & North Africa
Mining
Oil & Gas
Payment Solutions
Pensions & Benefits
Power & Renewables
Privacy & Data Protection
Private Equity & Capital Funds
Procurement & Outsourcing
Product Liability
Product Regulation
Project Finance
Property Development & Real Estate
Regulatory
Restructuring & Insolvency
Retail
Securities Litigation
Shareholder Activism & Critical Situations
Structured Finance & Asset Securitization
Tax
Tax Litigation & Dispute Resolution
Technology Law
Technology, Media & Entertainment
Trading & Derivatives
Transfer Pricing
Transportation
United States of America
Venture Capital
Wills, Estates & Trusts
 

Blog

Updated Guidance on Cybersecurity Disclosures from the SEC

March 05, 2018

Contact Us
 
Subscribe
Print
Share
Share
Twitter
LinkedIn
Email

Written by Ruth E. Promislow and Katherine Rusk

The U.S. Securities and Exchange Commission (SEC) published updated guidance on February 21, 2018, for how and when public companies should disclose cybersecurity risks and breaches. The SEC explains that the additional guidance is given “in light of the increasing significance of cybersecurity incidents.”

A significant element of the guidance is the requirement to disclose particulars of the extent of board risk oversight. In particular, companies must disclose how the board administers its oversight function and the effect this has on the board’s leadership structure. This requirement underscores the expectation that boards are in fact engaging with management on cybersecurity issues.

In addition to the above, companies are expected to make disclosure relating to cybersecurity. Highlights include the following:

  • Companies must provide timely and ongoing information in periodic reports regarding material cybersecurity risks and incidents that trigger disclosure obligations.
  • Companies are encouraged to make prompt disclosure pertaining to cybersecurity matters.
  • Companies should disclose the risks associated with cybersecurity incidents. It is stated that it would be helpful for companies to consider issues such as the following: occurrence of prior incidents, including their severity and frequency; the probability of the occurrence and potential magnitude of cybersecurity incidents; the adequacy of preventive actions; the aspects of the company’s business; and operations that give rise to material risks.
  • If cybersecurity incidents or risks materially affect a company’s products, services, relationships or competitive conditions, the company must provide appropriate disclosure.
  • Financial impacts of a cybersecurity incident are expected to be incorporated into financial statements.

Companies are encouraged “to adopt comprehensive policies and procedures related to cybersecurity and to assess their compliance regularly, including the sufficiency of their disclosure controls and procedures as they relate to cybersecurity disclosure.”

The guidance further sets out the requirement that public operating companies inform investors about cybersecurity risks and incidents in a timely fashion. This includes companies that have not yet been the target of a cyberattack but are subject to cybersecurity risks. More specifically, with respect to public operating companies, the guidance addresses two topics not developed in the 2011 guidance: required cybersecurity policies and procedures; and the prohibition of trading of a the company's securities by corporate insiders who are in possession of material non-public information related to cyber incidents.

The expanded SEC guidance underscores the inescapable reality that cybersecurity must be front of mind for all businesses, and in particular for directors.

Subscribe
Share
Share      
 
Twitter
LinkedIn
Email
 

Authors

  • Ruth E. Promislow Ruth E. Promislow, Partner
  • Katherine  Rusk Katherine Rusk, Associate

Looking Forward: Class Actions in 2019

Download now

Related Links

  • Insights
  • Media
  • Subscribe

Recent Posts

Blog

Expedited Proceedings at Canada’s Competition Tribunal

February 15, 2019
       

Blog

Health Canada Guidance on Cannabis Recalls

February 14, 2019
       

Blog

The Business Council of Canada’s Task Force on Canada’s [...]

February 14, 2019
       

Blog

CBCA Private Corporations Subject to New Shareholder [...]

February 11, 2019
       

Blog

Curtailment Rules Come Into Force for Production of [...]

February 06, 2019
       

Firm Information

  • People
  • About
  • Recruitment
  • Anti-Spam Learning Centre
  • Kickstart
  • Client Extranet

Offices

  • Calgary
  • Edmonton
  • Ottawa
  • Toronto
  • Vancouver
  • New York
  • United States of America
  • Beijing
  • Doha

Stay Connected

Careers

  • Privacy Policy
  • Disclaimer
  • Terms of Use

© Bennett Jones LLP 2019 All rights reserved. Bennett Jones refers collectively to the Canadian legal practice of Bennett Jones LLP and the international legal practices and consulting activities of various entities which are associated with Bennett Jones LLP

Bennett Jones