On October 13th, the SEC's Division of Corporation Finance issued a Disclosure Guidance that urges public companies to evaluate their cybersecurity risks and, if material, to disclose those risks to investors.
"Investors have been kept completely in the dark" about cybersecurity risks and their effect on a company. "This guidance changes everything. It will allow the market to evaluate companies in part based on their ability to keep their networks secure."
- Sen. John D. Rockefeller IV (D-W.Va.), Chairman, Senate Commerce Committee
Regulators and plaintiffs' counsel now have an additional area to scrutinize – whether public companies have adequately evaluated and reported their cybersecurity risks.
Given the potential impact on a company, understanding the scope and suggested requirements under the new SEC guidance is critical.
All businesses using the Internet are, to some degree, vulnerable to intrusions, so what does the new guidance actually mean for public companies?
When does the risk of intrusion become material?
What are the triggers for reporting?
What assessments are required?
Does every company suffering a data security breach have to report it to the SEC?
What has to be reported?
How can the reporting company make public disclosure of cybersecurity risks in a way that will not make the company a target for attacks?
What is the best way for a company to wrap its arms around a cyber attack so it can make the appropriate disclosure?
- What steps should a company take to insure its disclosure is a fair, accurate, and timely description of the attack?
These questions and more will be addressed in this webinar featuring Rich Parrino, Partner in Hogan Lovells Capital Markets practice, Chris Wolf, Co-Head of Hogan Lovells Privacy and Information Management practice, and John Stark, Managing Director of Stroz Friedberg LLC, a technology firm assisting clients with digital risks.