SEC to Take Up Cybersecurity Reporting Guidance Feb. 21

Stay up-to-date with the latest developments in securities law through access to both news and all statutes and regulations. Find relevant corporate filings through a searchable EDGAR database. And...

By Andrew Ramonas

Companies seeking more clarity on disclosing cybersecurity issues to the SEC in the wake of Equifax Inc.’s massive data breach may soon get it.

The Securities and Exchange Commission Feb. 21 will vote on whether to release new guidance on reporting about cyber risks and incidents, the agency said Feb. 14. SEC staff last issued such guidance in 2011, telling companies they may have to report cyber matters that could affect their financial condition.

The commission has yet to announce the specifics of the proposed update. An SEC representative didn’t immediately respond to a request for information.

But William Hinman, director of the SEC’s Division of Corporation Finance, did share the agency’s thinking on the guidance in November.

Companies can probably expect it to remind them to look at their disclosure controls and escalation procedures when they experience cyber incidents and to not forget that details on cyberattacks can be material nonpublic information, he said.

The SEC has seen “more and more events happen” at companies, which have a “range of approaches on disclosure” about cybersecurity, Hinman said.

The commission also will vote on matters concerning investment companies Feb. 21. The open meeting on rulemaking is the second such gathering under SEC Chairman Jay Clayton.

To contact the reporter on this story: Andrew Ramonas in Washington at

To contact the editor responsible for this story: Seth Stern at

For More Information

Copyright © 2018 The Bureau of National Affairs, Inc. All Rights Reserved.

Request Securities & Capital Markets on Bloomberg Law