The US Securities and Exchange Commission (SEC) has published an interpretive release directed at public companies, stressing the need to maintain comprehensive policies and procedures related to cyber security risks and incidents.  The release also reinforces the SEC’s requirement for public companies to have robust disclosure controls and procedures which should operate in relation to cyber security risks and incidents.  The release is also a reminder to companies and company insiders of the applicable insider trading prohibitions and the obligation not to make selective disclosures of material non-public information about cybersecurity risks or incidents.  According to the SEC,

“The materiality of cyber security risks or incidents depends upon their nature, extent, and potential magnitude, particularly as they relate to any compromised information or the business and scope of company operations.  The materiality of cyber security risks and incidents also depends on the range of harm that such incidents could cause.  This includes harm to a company’s reputation, financial performance, and customer and vendor relationships, as well as the possibility of litigation or regulatory investigations or actions, including regulatory actions by state and federal governmental authorities and non-US authorities.”

The release does not address the specific implications of cyber security to other regulated entities, such as investment advisers and investment companies, and the SEC does refer such entities back to the guidance published in 2015. Although not specifically applicable to most investment advisers, the guidance in the interpretive release is a reminder of the SEC’s perspective about the need for effective controls and procedures for cyber security, what it considers to be material risk in this area, and its views on disclosure of material incidents.

Please contact Jennifer Wood should you have any questions regarding this interpretive release.