Much has been written about the SEC’s interpretive guidance on cybersecurity disclosures, issued in late February, including Commissioner Stein’s statement that it under-delivers for investors, public companies, and the capital markets. As many observers have noted, the Commission largely repackaged the Division of Corporation Finance’s prior October 2011 guidance. Further, by issuing interpretive guidance, rather than engaging in formal rulemaking, the SEC’s pronouncement does not have the force and effect of law and is not accorded such weight in the adjudicatory process.
Cybersecurity continues to be “top-of-mind” for the Security and Exchange Commission (SEC). That point couldn’t be made more clear than in comments and remarks made during the annual “SEC Speaks” conference in Washington, D.C. on February 23 and 24. Read more for a full summary of the conference, including the SEC’s discussion of cybersecurity-related risk and incident disclosures, the Enforcement division’s formation of a Cyber Unit in the fall of 2017, and the SEC’s increased emphasis on the need for insider trading policies that address the impact of cyber events.