A reminder on SEC cyberliability guidance

Everyone knows that cyber-threats have become more prevalent and pose additional risks for companies. The SEC knows this too, and has long since issued informal guidance to companies when it comes to cybersecurity disclosure. Media reports concerning SEC Chairman Mary Jo White indicate that she's interested in how companies have reacted to the SEC's guidance, as well as any further SEC action that should be taken.

MD&A. The SEC recommends businesses disclose cyber-threats in their MD&A if the costs that could result from data breaches will have a material effect on operations or a company's financial condition.

Risk factors. The SEC's guidance includes asking companies to consider supplemental risk factor disclosures, including (1) the "probability of a cyberincident," (2) the "quantitative and qualitative magnitude of those risks" and (3) a "description of relevant insurance coverage."

This last category, insurance, can be tricky. As Woodruff Sawyer partner Lauri Floresca discussed in a recent article, this insurance is highly customized, and the availability of coverage can vary significantly. Working with a sophisticated insurance broker who is an expert in the area of cyberliablity is critical when it comes to this kind of insurance.

The views expressed in this blog are solely those of the author. This blog should not be taken as insurance or legal advice for your particular situation. Questions? Comments? Concerns? Email:



Table of Contents