Tag: cybersecurity disclosure

Commissioner Roisman talks cybersecurity

On Friday, in remarks before the L.A. County Bar Association, SEC Commissioner Elad Roisman addressed some of the challenges associated with cybersecurity and cyber breaches and similar events. In his presentation, Roisman considers cybersecurity in a variety of contexts, such as the exchanges, investment advisers and broker-dealers, but his discussion of cybersecurity in the context of public companies is of most interest here. Although the SEC has imposed some principles-based requirements and issued guidance about cybersecurity disclosure, Roisman believes that there is more in the way of guidance and even rulemaking that the SEC should consider “to ensure that companies understand [the SEC’s] expectations and investors get the benefit of increased disclosure and protections by companies.”

SEC Chair testifies before Senate Banking Committee—firmly denies paternity of all public companies!

On Tuesday last week, SEC Chair Gary Gensler gave testimony before the Senate Committee on Banking, Housing and Urban Affairs.  His formal testimony covered a number of topics on the SEC’s agenda that Gensler (and others) have addressed numerous times in past: market structure and equity markets, predictive analytics, crypto, issuer disclosure, China, SPACs and Rule 10b5-1 plans. (See, e.g., this PubCo post and this PubCo post.) While the formal testimony covered some well-trod territory, the questioning highlighted the political polarization that we are likely to see continue as these proposals are presented for consideration. 

Corp Fin Chief Accountant echoes theme of need for Brexit, LIBOR and cybersecurity disclosure

Officials at the SEC all seem to be singing the same tune these days, emphasizing the need to amp up company disclosures regarding Brexit, the LIBOR phase-out and cybersecurity. As reported by the WSJ, Corp Fin Chief Accountant Kyle Moffatt, speaking at the FEI Current Financial Reporting Issues Conference, echoed the earlier informal guidance provided by SEC Chair Jay Clayton, Corp Fin Director William Hinman and Deputy Director Shelley Parratt that the SEC will be looking for enhanced disclosure on these topics where material. (See this PubCo post.)  Given the onslaught of admonitions, companies would be well advised to pay attention.

EY offers new analysis of cybersecurity disclosures

In this report, EY discusses an analysis it conducted of voluntary cybersecurity-related disclosures in the 10-Ks and proxy statements of Fortune 100 companies (79 companies that had filed as of September 1, 2018).  The analysis notes that, not only are regulators focused on cybersecurity risk management and disclosure, but investors consider cybersecurity risk management as critical to the board’s risk oversight responsibilities and boards are increasingly engaged on the topic. The analysis found a wide variation in the depth and nature of the disclosures.

SEC brings enforcement action for failure to timely disclose cyber breach

In this recent Cooley Alert, SEC Issues New Guidance on Cybersecurity Disclosure and Policies, we wrote that the SEC had not yet brought a formal enforcement proceeding for failure to make timely disclosure regarding cybersecurity risks and/or cyber incidents and asked whether an enforcement action might just be on the horizon? In that regard, we noted that, in 2017, the co-director of the SEC’s Enforcement Division had warned that, although the SEC was “not looking to second-guess good faith disclosure decisions,” enforcement actions were certainly possible in the right circumstances.  Indeed, the co-director had cautioned that no one should mistake the absence of enforcement actions for an unwillingness by the SEC to pursue companies with inadequate cybersecurity disclosures before and after breaches or other incidents. Apparently, SEC Enforcement has now identified circumstances it considers to be “right”: today, the SEC  announced “that the entity formerly known as Yahoo! Inc. has agreed to pay a $35 million penalty to settle charges that it misled investors by failing to disclose one of the world’s largest data breaches in which hackers stole personal data relating to hundreds of millions of user accounts.”

Center for Audit Quality issues tool for board oversight of cybersecurity risk

The Center for Audit Quality has just issued Cybersecurity Risk Management Oversight: A Tool for Board Members.  The tool offers questions that directors can ask of management and the auditors as part of their oversight of cybersecurity risks and disclosures.  The questions are designed to initiate dialogue to clarify the role of the auditor in connection with cybersecurity risk assessment in the context of the audit of the financial statements and internal control over financial reporting (ICFR), and to help the board understand how the company is managing its cybersecurity risks.

SEC Commissioner Jackson sees cyber threat as a corporate governance issue

In remarks on Thursday of last week to the Tulane Corporate Law Institute, SEC Commissioner Robert Jackson discussed what he termed to be “the most pressing issue in corporate governance today: the rising cyber threat.” To support his characterization, Jackson reports that, in 2016, there were over 1,000 data breaches with an aggregate cost of over $100 billion, according to the Identity Theft Resource Center. And the issue has “rocketed to the top of the corporate agenda”: “One recent study showed that nearly two-thirds of executives identified cyber threats as a top-five risk to their company’s future. That shows how quickly this has become a board-level issue.”

Cooley Alert: SEC Issues New Guidance on Cybersecurity Disclosure and Policies

Our most recent Cooley Alert discusses the SEC’s new guidance on cybersecurity disclosure and policies.  The message of the guidance is this – with the increasing importance of cybersecurity and the increasing incidence of cyber threats and breaches, companies need to review the adequacy of their disclosures regarding cybersecurity and consider how […]

New SEC guidance on cybersecurity disclosure

Yesterday, the SEC announced that it had adopted—without the scheduled open meeting, which was abruptly cancelled with only a cryptic statement—long-awaited new guidance on cybersecurity disclosure. The guidance addresses disclosure obligations under existing laws and regulations, cybersecurity policies and procedures, disclosure controls and procedures, insider trading prohibitions and Reg FD and selective disclosure prohibitions in the context of cybersecurity.  The new guidance builds on Corp Fin’s 2011 guidance on this topic (see this Cooley News Brief), adding in particular new discussions of policies and insider trading.   While the guidance was adopted unanimously, some of the Commissioners were not exactly enthused about it, viewing it as largely repetitive of the 2011 guidance—and hardly more compelling. Anticlimactic? See if you agree.

Cybersecurity risk disclosure remains at relatively low levels, but for how long?

Even though, in the wake of recent events, cybersecurity is a very hot topic, only 38% of U.S. public companies cite cybersecurity as a risk factor in their annual and quarterly SEC filings, according to a recent study from Intelligize.  The study showed that, while only 426 public companies cited cybersecurity as a risk in 2012, that number grew to 1,662 in 2016.  However, so far in 2017, the number has been relatively flat at 1,680. But the question remains, how long will that continue?