SEC cyber guidance helps corporates avoid breaches

Author: John Crabb | Published: 11 Jan 2019

Interpretive guidance issued by the Securities and Exchange Commission (SEC) in February 2018 has been effectively helping corporates to prepare disclosures and control cybersecurity risks in the 11 months since it was released. The guidance offered clarity regarding what needs to be reported, to whom, and when, and has shown that the Commission is taking the issue very seriously.

It has been clear for several years that cybersecurity issues were becoming more serious, said Sherrese Smith, partner at Paul Hastings. "There is nothing like having the SEC reiterate numerous times that a lack of internal controls or processes and policies are almost a per se issue from their perspective," she added.

"It has allowed companies to dedicate the resources and finances necessary to improve their cybersecurity practices so that they don’t have issues later on. Boards are now asking C-suites to explain what they are doing, and what controls are in place for...