Tag: cybersecurity disclosure

Audit Analytics reports on cybersecurity disclosure

These days, with our government warning regularly about the likelihood of breaches in cybersecurity, concerns about cyber threats have only multiplied.  Introducing the SEC’s new proposal for cybersecurity disclosure in March (see this PubCo post), SEC Corp Fin Director Renee Jones said that, in today’s digitally connected world, cyber threats and incidents pose an ongoing and escalating threat to public companies and their shareholders. In light of the pandemic-driven trend to work from home and, even more seriously, the potential impact of horrific global events, cybersecurity risk is affecting just about all reporting companies, she continued. While threats have increased in number and complexity, Jones said, currently, company disclosure about cybersecurity is not always decision-useful and is often inconsistent, not timely and sometimes hard for investors to locate. What’s more, some material incidents may not be reported at all.  Audit Analytics has just posted a new report regarding trends in cybersecurity incident disclosures. The report indicates that, in 2021, there was a 44% increase in the number of breaches disclosed, from 131 in 2020 to 188 in 2021, the most breaches disclosed in a single year since 2011. And, since 2011, the number of cybersecurity incidents disclosed annually has increased nearly 600%. Interestingly, however, in 2021, only 43% of cybersecurity incidents were disclosed in SEC filings, the report said.

SEC votes to propose new rules for cybersecurity disclosure and incident reporting [UPDATED]

[This post revises and updates my earlier post primarily to reflect the contents of the proposing release.]

At an open meeting last week, the SEC voted, three to one, to propose regulations “to enhance and standardize disclosures regarding cybersecurity risk management, strategy, governance, and incident reporting by public companies.” At the meeting, SEC Corp Fin Director Renee Jones said that, in today’s digitally connected world, cyber threats and incidents pose an ongoing and escalating threat to public companies and their shareholders. In light of the pandemic-driven trend to work from home and, even more seriously, the potential impact of horrific global events, cybersecurity risk is affecting just about all reporting companies, she continued. While threats have increased in number and complexity, Jones said, currently, company disclosure about cybersecurity is not always decision-useful and is often inconsistent, not timely and sometimes hard for investors to locate. What’s more, some material incidents may not be reported at all. The SEC’s proposal is intended to provide meaningful and decision-useful information to help shareholders better understand cybersecurity risks and how companies are managing and responding to them. As described by Jones, the SEC approached the rulemaking from two perspectives: first, incident reporting and second, periodic disclosure regarding cybersecurity risk management, strategy and governance. According to SEC Chair Gary Gensler, “[o]ver the years, our disclosure regime has evolved to reflect evolving risks and investor needs….Today, cybersecurity is an emerging risk with which public issuers increasingly must contend. Investors want to know more about how issuers are managing those growing risks….I am pleased to support this proposal because, if adopted, it would strengthen investors’ ability to evaluate public companies’ cybersecurity practices and incident reporting.” Notably, the proposal is quite prescriptive, with a number of multi-part bullet point disclosure requirements, just the sort of thing to elicit a dissent from Commissioner Hester Peirce. The public comment period will be open for 60 days following publication of the proposing release on the SEC’s website or 30 days following publication of the proposing release in the Federal Register, whichever period is longer.

SEC votes to propose new rules for cybersecurity disclosure and incident reporting

In remarks in January before the Northwestern Pritzker School of Law’s Annual Securities Regulation Institute, SEC Chair Gary Gensler addressed cybersecurity under the securities laws. (See this PubCo post.) Gensler suggested that the economic cost of cyberattacks could possibly be in the trillions of dollars, taking many forms, including denials-of-service, malware and ransomware. In addition, he said, it’s a national security issue. Gensler reminded us that “cybersecurity is a team sport,” and that the private sector is often on the front lines. (As reported by the NYT, that has been especially true in recent weeks, where “the war in Ukraine is stress-testing the system.”) And today, according to Corp Fin Director Renee Jones, in light of the pandemic-driven trend to work from home and, even more seriously, the potential impact of horrific global events, that’s more true than ever, with escalating cybersecurity risk affecting just about all reporting companies. Given the recent consternation over hacks and ransomware, as well as the rising potential for cyberattacks worldwide, it should come as no surprise that the SEC voted today, by a vote of three to one, to propose regulations “to enhance and standardize disclosures regarding cybersecurity risk management, strategy, governance, and incident reporting by public companies.” While threats have increased in number and complexity, Jones said, currently, company disclosure is not always decision-useful and is often inconsistent, not timely and hard for investors to find. What’s more, some material incidents may not be reported at all. As described by Jones, the SEC approached the rulemaking from two perspectives: first, incident reporting and second, periodic disclosure regarding cybersecurity risk management, strategy and governance. According to SEC Chair Gary Gensler, “[o]ver the years, our disclosure regime has evolved to reflect evolving risks and investor needs….Today, cybersecurity is an emerging risk with which public issuers increasingly must contend. Investors want to know more about how issuers are managing those growing risks….I am pleased to support this proposal because, if adopted, it would strengthen investors’ ability to evaluate public companies’ cybersecurity practices and incident reporting.” The public comment period will be open for 60 days following publication of the proposing release on the SEC’s website or 30 days following publication of the proposing release in the Federal Register, whichever period is longer.

Gensler discusses cybersecurity under the securities laws

In remarks yesterday before the Northwestern Pritzker School of Law’s Annual Securities Regulation Institute, SEC Chair Gary Gensler addressed cybersecurity under the securities laws. Gensler suggests that the economic cost of cyberattacks could possibly be in the trillions of dollars, taking many forms, including denials-of-service, malware and ransomware. It’s also a national security issue.  He reminds us that “cybersecurity is a team sport,” and that the private sector is often on the front lines. Given the frequency of cybersecurity incidents, the SEC is “working to improve the overall cybersecurity posture and resiliency of the financial sector.” To Gensler, the SEC’s cybersecurity policy has three components: “cyber hygiene and preparedness; cyber incident reporting to the government; and in certain circumstances, disclosure to the public.”  In his remarks, Gensler considered cybersecurity in a variety of contexts, including SEC registrants in the financial sector, such as broker-dealers, investment companies, registered investment advisers and other market intermediaries; service providers and the SEC itself, but his discussion of cybersecurity in the context of public companies is of most interest here.

Commissioner Roisman talks cybersecurity

On Friday, in remarks before the L.A. County Bar Association, SEC Commissioner Elad Roisman addressed some of the challenges associated with cybersecurity and cyber breaches and similar events. In his presentation, Roisman considers cybersecurity in a variety of contexts, such as the exchanges, investment advisers and broker-dealers, but his discussion of cybersecurity in the context of public companies is of most interest here. Although the SEC has imposed some principles-based requirements and issued guidance about cybersecurity disclosure, Roisman believes that there is more in the way of guidance and even rulemaking that the SEC should consider “to ensure that companies understand [the SEC’s] expectations and investors get the benefit of increased disclosure and protections by companies.”

SEC Chair testifies before Senate Banking Committee—firmly denies paternity of all public companies!

On Tuesday last week, SEC Chair Gary Gensler gave testimony before the Senate Committee on Banking, Housing and Urban Affairs.  His formal testimony covered a number of topics on the SEC’s agenda that Gensler (and others) have addressed numerous times in past: market structure and equity markets, predictive analytics, crypto, issuer disclosure, China, SPACs and Rule 10b5-1 plans. (See, e.g., this PubCo post and this PubCo post.) While the formal testimony covered some well-trod territory, the questioning highlighted the political polarization that we are likely to see continue as these proposals are presented for consideration. 

Corp Fin Chief Accountant echoes theme of need for Brexit, LIBOR and cybersecurity disclosure

Officials at the SEC all seem to be singing the same tune these days, emphasizing the need to amp up company disclosures regarding Brexit, the LIBOR phase-out and cybersecurity. As reported by the WSJ, Corp Fin Chief Accountant Kyle Moffatt, speaking at the FEI Current Financial Reporting Issues Conference, echoed the earlier informal guidance provided by SEC Chair Jay Clayton, Corp Fin Director William Hinman and Deputy Director Shelley Parratt that the SEC will be looking for enhanced disclosure on these topics where material. (See this PubCo post.)  Given the onslaught of admonitions, companies would be well advised to pay attention.

EY offers new analysis of cybersecurity disclosures

In this report, EY discusses an analysis it conducted of voluntary cybersecurity-related disclosures in the 10-Ks and proxy statements of Fortune 100 companies (79 companies that had filed as of September 1, 2018).  The analysis notes that, not only are regulators focused on cybersecurity risk management and disclosure, but investors consider cybersecurity risk management as critical to the board’s risk oversight responsibilities and boards are increasingly engaged on the topic. The analysis found a wide variation in the depth and nature of the disclosures.

SEC brings enforcement action for failure to timely disclose cyber breach

In this recent Cooley Alert, SEC Issues New Guidance on Cybersecurity Disclosure and Policies, we wrote that the SEC had not yet brought a formal enforcement proceeding for failure to make timely disclosure regarding cybersecurity risks and/or cyber incidents and asked whether an enforcement action might just be on the horizon? In that regard, we noted that, in 2017, the co-director of the SEC’s Enforcement Division had warned that, although the SEC was “not looking to second-guess good faith disclosure decisions,” enforcement actions were certainly possible in the right circumstances.  Indeed, the co-director had cautioned that no one should mistake the absence of enforcement actions for an unwillingness by the SEC to pursue companies with inadequate cybersecurity disclosures before and after breaches or other incidents. Apparently, SEC Enforcement has now identified circumstances it considers to be “right”: today, the SEC  announced “that the entity formerly known as Yahoo! Inc. has agreed to pay a $35 million penalty to settle charges that it misled investors by failing to disclose one of the world’s largest data breaches in which hackers stole personal data relating to hundreds of millions of user accounts.”

Center for Audit Quality issues tool for board oversight of cybersecurity risk

The Center for Audit Quality has just issued Cybersecurity Risk Management Oversight: A Tool for Board Members.  The tool offers questions that directors can ask of management and the auditors as part of their oversight of cybersecurity risks and disclosures.  The questions are designed to initiate dialogue to clarify the role of the auditor in connection with cybersecurity risk assessment in the context of the audit of the financial statements and internal control over financial reporting (ICFR), and to help the board understand how the company is managing its cybersecurity risks.