SEC サイバーセキュリティリスクとインシデントについての開示 (CF Disclosure Guidance: Topic No. 2 Cybersecurity)
こんにちは、丸山満彦です。夏井先生のブログではずいぶん前に紹介されていたので、まぁいいかと思っていたのですが、こちらのブログにも載せておきます。。。
■Cyberlaw
・2011 10.17 米国:FTCが,サイバーセキュリティ上のリスクに関する情報開示についてのガイドラインを公表
■SEC
・2011.10.13 CF Disclosure Guidance: Topic No. 2 Cybersecurity
基本的にはすでに規定されているリスク情報の開示に従って、Cybersecurityに関するリスクや事故についても開示してくださいね。。。ということだと思います。。。ただ、従来はその点の記述が十分ではなかったんじゃないかということなのでしょうね。。。
=====
A registrant may need to disclose known or threatened cyber incidents to place the discussion of cybersecurity risks in context. For example, if a registrant experienced a material cyber attack in which malware was embedded in its systems and customer data was compromised, it likely would not be sufficient for the registrant to disclose that there is a risk that such an attack may occur. Instead, as part of a broader discussion of malware or other similar attacks that pose a particular risk, the registrant may need to discuss the occurrence of the specific attack and its known and potential costs and other consequences.
While registrants should provide disclosure tailored to their particular circumstances and avoid generic “boilerplate” disclosure, we reiterate that the federal securities laws do not require disclosure that itself would compromise a registrant’s cybersecurity. Instead, registrants should provide sufficient disclosure to allow investors to appreciate the nature of the risks faced by the particular registrant in a manner that would not have that consequence.
=====
Comments