Anti-Corruption & Compliance Blog

On March 9, 2022, the U.S. Securities and Exchange Commission (“SEC”) proposed amendments to its rules to require additional disclosures regarding cybersecurity risk management, strategy, governance, and incident reporting by public companies. These new proposed rules expand on over a decade of focus by the SEC on cybersecurity and the need for adequate risk management.

In 2011, the SEC issued the Division of Corporation Finance’s CF Disclosure Guidance: Topic No. 2 Cybersecurity, which provides guidance to public companies regarding what disclosures should be provided about cybersecurity matters. In response to the increasing significance of cybersecurity incidents, the SEC updated the 2011 Guidance during 2018 with the Commission Statement and Guidance on Public Company Cybersecurity Disclosures. The 2018 Statement reinforced and expanded upon the 2011 Guidance and addressed new topics, specifically the requirement to establish and maintain appropriate disclosure controls and procedures related to cybersecurity. Then, during 2021, the SEC issued two Consent Orders settling charges against two companies for violations of disclosure controls and procedures and misleading investors about cyber intrusions.

But cybersecurity is not only a concern of public companies. In 2022, small and middle-sized companies are increasingly targets of cyber-attacks due to their perceived lack of resources and security expertise. In recognition of this fact, during National Small Business Week (May 1-7, 2022), the U.S. Cybersecurity & Infrastructure Security Agency – the U.S. government agency dedicated to the coordination and execution of national cyber defense – is encouraging small and middle-sized businesses to strengthen their cyber defenses and providing resources for doing so.

As part of this increased focus, in subsequent posts and alerts, our team will continue providing an overview of what public companies are required to consider and execute under the SEC’s Cybersecurity Guidance and Rules, and also provide risk management best practices to implement based on the size and risk profile of both public and non-public businesses.