Tag: cybersecurity

SEC adopts EDGAR Next

In September last year, the SEC proposed changes to the EDGAR system designed primarily to enhance EDGAR security, specifically related to EDGAR filer access and account management. (See this PubCo post.) While the SEC has updated EDGAR several times, it’s been over ten years since the SEC updated EDGAR login, password and other account access protocols in any significant way. On Friday, the SEC adopted the proposal with some changes. As summarized in the press release, “[t]he amendments require EDGAR filers to authorize identified individuals who will be responsible for managing their accounts, and individuals acting on behalf of EDGAR filers will need to present individual account credentials obtained from Login.gov to access those EDGAR accounts and make filings. Form ID, the application for access to EDGAR, will be modernized to make the form more user-friendly.” Filers will also be able to use optional Application Programming Interfaces (APIs), described as “a machine-to-machine method of making submissions, retrieving information, and performing account management tasks that will improve the efficiency and accuracy of filers’ interactions with EDGAR.” According to SEC Chair Gary Gensler, “[t]he public and the SEC long have benefited from the EDGAR electronic filing system….Today’s amendments are an important next step for EDGAR account access protocols.” In his statement, he added that, “[u]nder previous requirements, registrants had one login per company. This is like having a family passing around one shared login and password for a movie streaming app. You know where that can lead. That’s simply not the most secure system—for filers and the Commission alike—when it comes to information relating to financial disclosure. By contrast, today’s amendments further secure login protocols by requiring every person filing something into EDGAR to login with individual credentials and to use multi-factor authentication.”  The rule and form amendments will become effective March 24, 2025.  On the same date, the new dashboard will go live, and compliance with the amended Form ID requirements will be required. The compliance date for all other rule and form amendments is September 15, 2025. I know you’ll be excited to study the new EDGAR filer manual and here’s a blackline copy to help with that undertaking. Will the new system put the kibosh on fake SEC Form 4s, fake Forms 8-K, fake Schedules 13D, fake SEC correspondence and other fake SEC filings?

Is the SEC’s case against SolarWinds counterproductive?

You remember the 2020 SolarWinds hack, perhaps one of the worst cyberattacks in history? As described by NPR in 2021, the hack was  “believed to be directed by the Russian intelligence service, the SVR,” which used a “routine software update to slip malicious code into Orion’s software and then used it as a vehicle for a massive cyberattack against America.” It was estimated that 18,000 customers were affected, including some very well-known companies and about a dozen government agencies including the Treasury, Justice and Energy departments, the Pentagon and, ironically, the Cybersecurity and Infrastructure Security Agency, part of the Department of Homeland Security.  The SEC filed a complaint against SolarWinds and its Chief Information Security Officer, Timothy G. Brown, charging ‘fraud and  internal control failures relating to allegedly known cybersecurity risks and vulnerabilities.” The gist of the complaint, as alleged by the SEC, is that many red flags emerged and incidents occurred, well known among company employees, that should have spurred the company and its CISO to take action to address serious cyber vulnerabilities, including vulnerabilities related to the company’s “crown jewel” assets.  Instead, the SEC charged, the CISO “failed to resolve the issues or, at times, sufficiently raise them further within the company.” (See this PubCo post.) As discussed in this blogpost, Fatal Flaws in SEC’s Amended Complaint Against SolarWinds, from our White Collar Defense and Investigations group, this case has developed into a very high-stakes contest.  

CAQ’s 2024 audit committee practices report discusses priorities and practices

The Center for Audit Quality has released its 2024 “Audit Committee Practices Report: Common Threads Across Audit Committees.”  The report highlights the top five audit committee priorities identified by committee members in a survey from CAQ and discusses practices to improve effectiveness and other observations. Interspersed throughout the report are recommendations and advice from the CAQ. What was identified by respondents as the “most important topic, risk, or issue” for their audit committees in the next 12 months? Not financial reporting or financial audits—core responsibilities for the audit committee—as you might expect. Nope, it was cybersecurity.  According to the CAQ report, the scope of audit committee responsibilities “continues to expand beyond the traditional remit of financial reporting and internal controls, internal and external audit, and ethics and compliance programs. Topics like cybersecurity, artificial intelligence (AI), and climate are now regularly showing up on many audit committee agendas, especially when it’s a matter of complying with regulatory disclosure requirements.” Audit committee members and their advisors may want to check out the report.

Some highlights of the 2023 PLI Securities Regulation Institute

This year’s PLI Securities Regulation Institute was a source for a lot of useful information and interesting perspectives. Panelists discussed a variety of topics, including climate disclosure (although no one shared any insights into the timing of the SEC’s final rules), proxy season issues, accounting issues, ESG and anti-ESG, and some of the most recent SEC rulemakings, such as pay versus performance, cybersecurity, buybacks and 10b5-1 plans. Some of the panels focused on these recent rulemakings echoed concerns expressed last year about the difficulty and complexity of implementation of these new rules, only this time, we also heard a few panelists questioning the rationale and effectiveness of these new mandates. What was the purpose of all this complication? Was it addressing real problems or just theoretical ones? Are investors really taking the disclosure into account? Is it all for naught?  Pay versus performance, for example, was described as “a lot of work,” but, according to one of the program co-chairs, in terms of its impact, a “nothingburger.”  (Was “nothingburger” the word of the week?) Aside from the agita over the need to implement the volume of complex rules, a key theme seemed to be the importance of controls and process—the need to have them, follow them and document that you followed them—as well as an intensified focus on cross-functional teams and avoiding silos. In addition, geopolitical uncertainty seems to be affecting just about everything. (For Commissioner Mark Uyeda’s perspective on the rulemaking process presented in his remarks before the Institute, see this PubCo post.) Below are just some of the takeaways, in no particular order.

Time for EDGAR Next?

Last week, the SEC proposed changes to the EDGAR system designed primarily to enhance EDGAR security, specifically related to EDGAR filer access and account management. In his Statement, SEC Chair Gary Gensler observed that a “lot has changed in the three decades since the Commission first required mandatory EDGAR filings in 1993.” While the SEC has updated EDGAR several times, it’s been over ten years since the SEC updated EDGAR login, password and other account access protocols in any significant way. Currently, Gensler reminded us, “registrants have one login per company. This is like having a family passing around one shared login and password for a movie streaming app. You know where that can lead. That’s simply not the most secure system—for filers and the Commission alike—when it comes to information relating to financial disclosure. By contrast, today’s actions would further secure login protocols by requiring every person filing something into EDGAR to login with individual credentials and to use multi-factor authentication.” Will the proposed new system, if finalized, put the kibosh on fake SEC Form 4s, fake Forms 8-K, fake Schedules 13D, fake SEC correspondence and other fake SEC filings? The proposal is open for comment for 60 days after publication in the Federal Register.

SEC Commissioner Jackson sees cyber threat as a corporate governance issue

In remarks on Thursday of last week to the Tulane Corporate Law Institute, SEC Commissioner Robert Jackson discussed what he termed to be “the most pressing issue in corporate governance today: the rising cyber threat.” To support his characterization, Jackson reports that, in 2016, there were over 1,000 data breaches with an aggregate cost of over $100 billion, according to the Identity Theft Resource Center. And the issue has “rocketed to the top of the corporate agenda”: “One recent study showed that nearly two-thirds of executives identified cyber threats as a top-five risk to their company’s future. That shows how quickly this has become a board-level issue.”

BDO identifies questions companies may need to address at annual meetings of shareholders this season

Just in time to get ready for those annual meetings of shareholders, accounting firm BDO’s Center for Corporate Governance and Financial Reporting has developed a list of topics that companies should be prepared to address at their annual meetings of shareholders this season.  The broad themes include the impact of efforts by the current administration regarding protectionism, taxes and deregulation, as well as corporate accountability and compliance.

SEC hack provides occasion for Chair Clayton to revitalize 2011 Corp Fin disclosure guidance on cybersecurity risks and incidents

As you probably read in the papers (see, e.g., this article from the WSJ), SEC Chair Jay Clayton announced yesterday that, in 2016, the SEC’s EDGAR system was hacked and, in August 2017, the staff determined that the hack may have led to insider trading. The hackers took advantage of “a software vulnerability in the test filing component of our EDGAR system, which was patched promptly after discovery….” The SEC believes “the intrusion did not result in unauthorized access to personally identifiable information, jeopardize the operations of the Commission, or result in systemic risk.  Our investigation of this matter is ongoing, however, and we are coordinating with appropriate authorities.” As part of his lengthy statement, Clayton addressed the cybersecurity considerations that the staff applies in the context of its review of public company disclosures. 

NACD suggests questions for boards to ask cybersecurity officers

by Cydney Posner As reported in the WSJ, the National Association of Corporate Directors advises that boards ask their companies’ chief information security officers some pointed questions about cybersecurity risks. Often, boards just ask whether the company is vulnerable to cyberattacks like those recently experienced at the U.S. Office of […]

Cyberthieves collect confidential information, apparently to conduct insider trading

by Cydney Posner Here is an unnerving warning from FireEye, a cybersecurity firm, discussed in this article from MarketWatch, regarding a sophisticated, native-English-speaking group, designated FIN4, that has targeted almost 100 public companies, primarily healthcare and pharma, to compromise their confidential information. What’s unusual here is that the apparent purpose of […]