One thing I appreciate about the SEC comment letter process is that it gives real life examples to what is often discussed hypothetically. Take, for example, cybersecurity and steps management should take when a data incident occurs. How quickly should a public company make its public disclosure of a data incident? What should it say? What should the process look like?
In 2018, the SEC issued helpful interpretive guidance to assist public companies in preparing disclosures about cybersecurity risks and incidents. This was in addition to the Division of Corporation Finance’s 2011 guidance regarding disclosure obligations relating to cybersecurity risks and incidents. In addition, our friends at corporatecounsel.net ran a helpful blog post on February 18 related to cyber response plan testing.
It is clear there is no single playbook for a data incident response, and the appropriate response is driven by the facts and circumstances of the situation. One size does not fit all. However, it is helpful when preparing a response plan to analyze a real life example. That is why the SEC comment exchange recently made public between the Staff and Chegg, Inc. last fall is particularly insightful.