Last week, the SEC proposed changes to the EDGAR system designed primarily to enhance EDGAR security, specifically related to EDGAR filer access and account management. In his Statement, SEC Chair Gary Gensler observed that a “lot has changed in the three decades since the Commission first required mandatory EDGAR filings in 1993.” While the SEC has updated EDGAR several times, it’s been over ten years since the SEC updated EDGAR login, password and other account access protocols in any significant way. Currently, Gensler reminded us, “registrants have one login per company. This is like having a family passing around one shared login and password for a movie streaming app. You know where that can lead. That’s simply not the most secure system—for filers and the Commission alike—when it comes to information relating to financial disclosure. By contrast, today’s actions would further secure login protocols by requiring every person filing something into EDGAR to login with individual credentials and to use multi-factor authentication.” Will the proposed new system, if finalized, put the kibosh on fake SEC Form 4s, fake Forms 8-K, fake Schedules 13D, fake SEC correspondence and other fake SEC filings? The proposal is open for comment for 60 days after publication in the Federal Register.
In remarks on Thursday of last week to the Tulane Corporate Law Institute, SEC Commissioner Robert Jackson discussed what he termed to be “the most pressing issue in corporate governance today: the rising cyber threat.” To support his characterization, Jackson reports that, in 2016, there were over 1,000 data breaches with an aggregate cost of over $100 billion, according to the Identity Theft Resource Center. And the issue has “rocketed to the top of the corporate agenda”: “One recent study showed that nearly two-thirds of executives identified cyber threats as a top-five risk to their company’s future. That shows how quickly this has become a board-level issue.”
BDO identifies questions companies may need to address at annual meetings of shareholders this season
Just in time to get ready for those annual meetings of shareholders, accounting firm BDO’s Center for Corporate Governance and Financial Reporting has developed a list of topics that companies should be prepared to address at their annual meetings of shareholders this season. The broad themes include the impact of efforts by the current administration regarding protectionism, taxes and deregulation, as well as corporate accountability and compliance.
SEC hack provides occasion for Chair Clayton to revitalize 2011 Corp Fin disclosure guidance on cybersecurity risks and incidents
As you probably read in the papers (see, e.g., this article from the WSJ), SEC Chair Jay Clayton announced yesterday that, in 2016, the SEC’s EDGAR system was hacked and, in August 2017, the staff determined that the hack may have led to insider trading. The hackers took advantage of “a software vulnerability in the test filing component of our EDGAR system, which was patched promptly after discovery….” The SEC believes “the intrusion did not result in unauthorized access to personally identifiable information, jeopardize the operations of the Commission, or result in systemic risk. Our investigation of this matter is ongoing, however, and we are coordinating with appropriate authorities.” As part of his lengthy statement, Clayton addressed the cybersecurity considerations that the staff applies in the context of its review of public company disclosures.
by Cydney Posner As reported in the WSJ, the National Association of Corporate Directors advises that boards ask their companies’ chief information security officers some pointed questions about cybersecurity risks. Often, boards just ask whether the company is vulnerable to cyberattacks like those recently experienced at the U.S. Office of […]
by Cydney Posner Here is an unnerving warning from FireEye, a cybersecurity firm, discussed in this article from MarketWatch, regarding a sophisticated, native-English-speaking group, designated FIN4, that has targeted almost 100 public companies, primarily healthcare and pharma, to compromise their confidential information. What’s unusual here is that the apparent purpose of […]