This new guidance doesn’t really go much beyond the staff guidance issued in 2011, and that may be one reason that Commissioners Kara Stein and Robert Jackson both expressed reservations and advocated for the SEC to do more.

According to the law firm Shearman & Sterling, Commissioner Stein acknowledged that further action in this area may require formal SEC rule making rather than interpretation of existing rules, and the interpretive guidance itself states that the Commission “continues to consider other means of promoting appropriate disclosure of cyber incidents.” To view the guidance in the Federal Register, go to:

About the Authors