NABET, NABET 2016 Conference

Font Size: 
SEC Cybersecurity Disclosure Requirements: Too Hot, Too Cold, or Just Right?
Loren F Selznick, Carolyn LaMacchia

Last modified: 2017-03-25

Abstract


Over five years ago, the Securities and Exchange Commission (SEC) issued a “guidance†suggesting certain cybersecurity governance and incident disclosures for publicly traded businesses in their Form 8-K and 10-K reports. The Guidance did not have the force of law, but practitioners recognized that a failure to follow the “views†of the SEC staff could lead to enforcement actions.  Commentators criticized the SEC for requiring unnecessary disclosures of trivial cybersecurity breaches, for not requiring enough information about significant breaches, for requiring too much information about cybersecurity structure, and for failing to promulgate regulations using the notice-and-comment procedure.  This research explores SEC activity on cybersecurity disclosure requirements since the initial guidance.

Keywords


law; securities; cybersecurity