Disclosure guidance released by the Securities and Exchange Commission (SEC) in February of 2018 offers best practices for companies disclosing cyber breaches. In a recent article for International Financial Law Review, Debevoise partner Paul Rodel addresses how these guidelines affect the reporting process.

One of the first questions companies can expect to answer following a breach is whether their response lined up with their own corporate governance: was everyone alerted that should have been? Was the board brought in at the right time? “This feels like a core principle,” Mr. Rodel said. “The SEC is looking at compliance with disclosure requirements and internal corporate governance policies and procedures.”

However, much of the SEC’s guidance is based on existing securities laws, which begs the question of whether new requirements and regulation are necessary. “While there is clarity in the guidance,” Mr. Rodel said “there wasn’t a whole lot new. I don’t think we need new line-item rules.”

SEC Cyber Guidance Helps Corporates Avoid Breaches
By John Crabb
January 11, 2019