Font Size: 

Over five years ago, the Securities and Exchange Commission (SEC) issued a “guidance†suggesting certain cybersecurity governance and incident disclosures for publicly traded businesses in their Form 8-K and 10-K reports. The Guidance did not have the force of law, but practitioners recognized that a failure to follow the “views†of the SEC staff could lead to enforcement actions.  Commentators criticized the SEC for requiring unnecessary disclosures of trivial cybersecurity breaches, for not requiring enough information about significant breaches, for requiring too much information about cybersecurity structure, and for failing to promulgate regulations using the notice-and-comment procedure.  This research explores SEC activity on cybersecurity disclosure requirements since the initial guidance.

law; securities; cybersecurity