Are you in compliance?

Don't miss out! Sign up today for our weekly newsletters and stay abreast of important GRC-related information and news.

Get updates on Compliance Week offerings, including new features, databases, research, and other resources, along with announcements of upcoming Webcasts, conferences, seminars, CPE/CLE opportunities and more.

Published every Thursday, Compliance Week Europe offers a condensed summary of risk, audit, and compliance news either originating in Europe, or of special interest to European compliance professionals. This newsletter will follow developments by the European Commission, as well as those of national governments across the region, or any U.S.-based news that might have consequence across the Atlantic. Frequency: weekly; Thursday a.m.

A fresh edition of Compliance Week delivered via e-mail and online every Tuesday morning, relentlessly focused on the disclosure, reporting and compliance requirements of our 25,000+ paying subscribers.

Published every Friday, Compliance Weekend was launched at the behest of subscribers, and offers a quick Plain English review of the week's key developments. We hope you enjoy this supplement to Compliance Week's Tuesday edition.

SEC Issues Guidance on Cyber-Security Disclosure

Reese Darragh | October 17, 2011

Staff at the Securities and Exchange Commission's Corporate Finance Division issued some non-binding guidance on how companies should disclose their responsibilities when dealing with cyber-security risks and breach of data incidents.

In its latest CF Disclosure Guidance Topic No. 2, released on Oct. 13, staff at the Corporate Finance Division (Corp Fin) outlined companies' disclosure obligations in the event that they experience or may potentially be affected by breach of data incidents.

Specifically, Corp Fin wants companies to disclose types of risks, an explanation of how the security breach will affect business, the effect of a data breach (before, during, and after) on the company's financial performance, and a discussion of the adequacy of the company's internal controls and procedures.

Companies are also required to sum up their own conclusions on the effectiveness of their internal cyber-security controls. The guidance says that if information could not be recorded properly due to a cyber incident that affected a registrant's information system, the registrant can conclude that the disclosure procedures are ineffective.

The guidance is the second in the series of Corp Fin's staff disclosure topics. The first issue addressed the requirement of companies' Form-8K reverse merger transaction filings. The staff reiterated that the guidance represents the views of Corp Fin and is not a rule. The Commission has neither approved nor disapproved its content.