The Cybersecurity Law Report

Incisive intelligence on cybersecurity law and regulation

Articles By Topic

By Topic: SEC Disclosure

  • From Vol. 4 No.40 (Nov. 28, 2018)

    SEC Officials and the Defense Bar Talk Cybersecurity Enforcement Trends and Takeaways From Recent Cases

    Cybersecurity-related enforcement has been one highlight of SEC activity in a year in which many are perceiving a general slowdown. At the recent Securities Enforcement Forum in Washington, D.C., hosted by Securities Docket, current and former SEC enforcement officials and members of the defense bar came together to share their insights on the direction of SEC enforcement. They discussed, among other things, what the new cyber unit is looking for, lessons from recent cases such as Yahoo and Voya, best practices for reporting breaches and takeaways from the recent Rule 21A Report about business email compromise. See “How Financial Services Firms Should Structure Their Cybersecurity Programs” (May 9, 2018).

    Read Full Article …
  • From Vol. 4 No.10 (May 2, 2018)

    SEC $35-Million Yahoo Settlement Carries Breach Disclosure Lessons

    On the heels of publishing disclosure guidance, the SEC has issued an order in its first-ever action against a public company for failing to disclose a material data breach. Altaba Inc. (formerly Yahoo) has agreed to a $35-million fine to settle SEC accusations that it failed to promptly notify investors about a massive 2014 data breach in which hackers stole personal data relating to hundreds of millions of user accounts. “Yahoo’s nearly two-year delay in making the breach known to investors, the vast number of users affected, and the company’s issuance of numerous public filings that failed to mention the breach made [it] a prime candidate for the SEC to make an example of,” Cadwalader partner Joseph Moreno told The Cybersecurity Law Report. See also “SEC Confirms Cyber Disclosure Expectations in New Guidance” (Feb. 28, 2018).

    Read Full Article …
  • From Vol. 4 No.4 (Feb. 28, 2018)

    SEC Confirms Cyber Disclosure Expectations in New Guidance

    The SEC’s latest guidance emphasizes proper and full disclosures related to cybersecurity risks and incidents throughout relevant filings. In its “Statement and Guidance on Public Company Cybersecurity Disclosures,” the SEC stated that “informing investors about material cybersecurity risks and incidents in a timely fashion” even if they have “not yet have been the target of a cyber attack,” is critical. Some say that this guidance is repetitive of the SEC’s 2011 guidance on the topic, but the new guidance adds discussions related to cybersecurity policies and procedures as well as preventing insider trading tied to cybersecurity information. In this article, we analyze this guidance with advice on risk disclosures from EXL Chief Compliance Officer Nancy Saltzman. See also “Meeting Expectations for SEC Disclosures of Cybersecurity Risks and Incidents (Part One of Two)” (Aug. 12, 2015); Part Two (Aug. 26, 2015).

    Read Full Article …
  • From Vol. 3 No.25 (Dec. 20, 2017)

    Effective M&A Contract Drafting and Internal Cyber Diligence and Disclosure

    Following cyber due diligence, acquiring companies should focus on carefully drafting M&A transaction documents, as many boilerplate reps and warranties regarding cybersecurity and privacy lack sufficient specificity. In addition, companies should develop a process governing internal due diligence and how and when to disclose cyber risks and events to the SEC. Proskauer partners Lauren Boglivi and Julie Allen provided guidance on these critical issues of documentation and disclosure at a recent event. In a companion article, we covered Boglivi and Allen’s remarks, in addition to those of Proskauer partners Kristen Mathews and Jeff Neuburger, about strategies for conducting cyber diligence on a target. See also “The Arc of the Deal: Tips for Cybersecurity Due Diligence Advisors in Mergers & Acquisitions From Beginning to End” (Jun. 28, 2017).

    Read Full Article …
  • From Vol. 3 No.10 (May 17, 2017)

    SEC Officials Flesh Out Cybersecurity Enforcement and Examination Priorities (Part Two of Two)

    Companies often seek more detailed cybersecurity guidance from the SEC than the agency has provided so far. The SEC has responded that there is not a single solution for the vast array of companies it regulates, making prescriptive guidance difficult. At the recent IAPP Global Privacy Summit, Stephanie Avakian, Acting Director of the SEC Division of Enforcement, and Shamoil Shipchandler, SEC Regional Director for the Fort Worth Regional Office, along with Jay Johnson, a partner at Jones Day, discussed the SEC’s cybersecurity priorities and perspectives, and provided some of the insight companies are looking for. This second part of our coverage discusses the SEC’s cybersecurity examination process and guidance on corporate disclosures, including how it determines what is reasonable. Part one highlighted the agency’s cybersecurity-related enforcement actions and coordination with law enforcement and state regulators. See “Investigative Realities: Working Effectively With Forensic Firms (Part One of Two)” (May 3, 2017).

    Read Full Article …
  • From Vol. 3 No.7 (Apr. 5, 2017)

    Best Practices for Mitigating Compliance Risks When Investment Advisers Use Social Media 

    The advent of Twitter, Facebook, LinkedIn and other social media forums has had a dramatic impact on society at large, including the investment funds industry. Yet, investment advisers and firms may not fully grasp the compliance and operational risks that new technologies and sites can pose. Questions abound as to whether social media can be used to provide material information to certain investors at the expense of others, when the line is crossed from informational content to marketing a fund and whether the social media accounts of individual employees and representatives need to be monitored for compliance purposes. In-house compliance officers, outside counsel and an SEC branch chief in the Chief Counsel’s Office of the SEC’s Division of Investment Management discussed and offered insights on these issues at a recent Regulatory Compliance Association PracticEdge session. See also “What It Takes to Establish Compliant Social Media Policies for the Workplace” (Mar. 22, 2017).

    Read Full Article …
  • From Vol. 2 No.17 (Aug. 24, 2016)

    Maximizing the Benefits of Big Data Within Permissible Bounds 

    Understanding how data is collected and shared is a critical component of cybersecurity and data privacy compliance. A recent PLI briefing looked at big data through the lens of businesses that use it for marketing, considering the various means by which it is collected, shared and used, the panoply of relevant laws and the related enforcement and litigation landscape. In addition to providing insight on these aspects, the program’s featured speaker, Robert H. Newman, a partner at Winston & Strawn, offered practical guidance for addressing big data issues in contracts and for dealing with data brokers. See also “Keeping Up With Technology and Regulatory Changes in Online Advertising to Mitigate Risks” (Jan. 6, 2016).

    Read Full Article …
  • From Vol. 2 No.16 (Aug. 3, 2016)

    Key Post-Breach Shareholder Litigation, Disclosure and Insurance Selection Considerations

    Publicly traded companies face an array of cyber-related decisions beyond how to best secure their data – chief among them are when and to whom to disclose cyber risks, how to handle shareholder litigation that follows a breach and what type of insurance policy to choose to mitigate post-breach costs. At a recent seminar hosted by the Practising Law Institute, speakers from Labaton Sucharow, BitSight Technologies and Beecher Carlson addressed considerations for making disclosures to investors both prior to and following data breaches, elements of a securities fraud case and the scope of possible insurance coverage to mitigate losses following a breach. See also “Proactive Steps to Protect Your Company in Anticipation of Future Data Security Litigation” Part One (Nov. 25, 2015); Part Two (Dec. 9, 2015).

    Read Full Article …
  • From Vol. 2 No.13 (Jun. 22, 2016)

    Morgan Stanley Action Signals SEC’s Continued Enforcement of Safeguards Rule

    Morgan Stanley Smith Barney may have escaped charges under Section 5 of the Federal Trade Commission Act, but it has agreed to pay $1 million to settle charges that it violated the Safeguards Rule. The settlement stems from allegations that employee Galen Marsh transferred data containing the PII of 730,000 customers to his personal server. That data later appeared on multiple internet sites. There was no harm alleged, and this settlement, coupled with the R.T. Jones and Craig Scott Capital actions, may show that the SEC is picking up enforcement of the Safeguards Rule. “Here, the SEC clearly is trying to make a statement to the broker-dealer and investment adviser community about how seriously it takes cyber. This also seems like a message to the FTC that the SEC intends to be the key cop on this part of the cyber beat,” Jeremy Feigelson, a partner at Debevoise, told The Cybersecurity Law Report. We analyze the settlement and its implications. See also “How Financial Service Providers Can Address Common Cybersecurity Threats” (Mar. 16, 2016).

    Read Full Article …
  • From Vol. 2 No.11 (May 25, 2016)

    Key Considerations for Public Companies for Mitigating and Disclosing Cybersecurity Risks

    The SEC has continued to emphasize cybersecurity preparedness, yet it has promulgated no specific requirement forcing public companies to disclose cybersecurity risks and incidents. In response, public companies are agonizing over how to proactively mitigate cyber attacks, how much information should be disclosed, and when such disclosures should be made. In a guest article, Richard A. Blunk, managing director and general counsel of Thermopylae Ventures, LLC and Apprameya Iyengar, an attorney at Morrison Cohen LLP, provide key considerations for public companies mitigating and disclosing cybersecurity risks. See also “Meeting Expectations for SEC Disclosures of Cybersecurity Risks and Incidents (Part One of Two)” (Aug. 12, 2015); Part Two (Aug. 26, 2015).

    Read Full Article …
  • From Vol. 2 No.5 (Mar. 2, 2016)

    Synthesizing Breach Notification Laws in the U.S. and Across the Globe

    Does your company have a comprehensive breach disclosure plan that complies with regulatory and legal obligations across the globe? In a recent panel held at Georgetown Law School, Harriet Pearson and Allison Bender, a partner and associate, respectively, at Hogan Lovells, discussed the changing legal landscape of breach notification obligations, including the proliferation of disclosure obligations at the state, national and transnational level, as well as disclosure obligations among organizations. See “After a Cyber Breach, What Laws Are in Play and Who Is Enforcing Them?” (May 20, 2015).

    Read Full Article …
  • From Vol. 1 No.11 (Aug. 26, 2015)

    Meeting Expectations for SEC Disclosures of Cybersecurity Risks and Incidents (Part Two of Two)

    Public companies grapple with when and how to disclose the various cybersecurity risks they face and the incidents they experience in their SEC filings.  How much is enough to disclose to satisfy regulators and how much is too much – both to preserve reputations and avoid giving would-be hackers ammunition?  The first part of this two-part article series provided guidance on making appropriate disclosures to meet SEC and investor expectations.  This second part provides suggestions on risk themes to include in risk disclosures as well as examples of relevant disclosures made in the 10-K filings for The New York Times, Home Depot, Morgan Stanley and Target.  See also “The SEC’s Two Primary Theories in Cybersecurity Enforcement Actions,” The Cybersecurity Law Report, Vol. 1, No. 1 (Apr. 8, 2015).

    Read Full Article …
  • From Vol. 1 No.10 (Aug. 12, 2015)

    Meeting Expectations for SEC Disclosures of Cybersecurity Risks and Incidents (Part One of Two)

    The SEC has made clear that material cybersecurity risks and incidents should be disclosed to investors.  However, determining what is material, as well as when and how to disclose, is less clear.  This article, the first in a two-part series, provides guidance on how to make appropriate disclosures that will meet the expectations of the SEC and investors regarding form, substance and timing.  The second article will provide suggestions and examples for language to use in disclosures.  See also “The SEC’s Updated Cybersecurity Guidance Urges Program Assessments,” The Cybersecurity Law Report, Vol. 1, No. 3 (May 6, 2015).

    Read Full Article …
  • From Vol. 1 No.7 (Jul. 1, 2015)

    Cybersecurity and Information Governance Considerations in Mergers and Acquisitions

    The growing impact of cyber incidents has led to a heightened need to conduct a thorough cyber due diligence both before and after an M&A deal.  In a recent webinar, Reed Smith partners Anthony J. Diana, Courtney C.T. Horrigan, Mark S. Melodia and Richard D. Smith shared insight on how cybersecurity affects the valuation of certain assets and offered advice on how to focus due diligence to detect and assess cyber risks pre-transaction, including litigation risks that can arise from data breaches.  They also recommended specific steps for planning post-closing data integration and evaluating the adequacy of insurance coverage.  See also “Designing and Implementing a Three-Step Cybersecurity Framework for Assessing and Vetting Third Parties (Part One of Two),” The Cybersecurity Law Report, Vol. 1, No. 1 (Apr. 8, 2015); Part Two of Two, Vol. 1, No. 2 (Apr. 22, 2015).  There has been a flurry of data breach activity over the past 10 years, and “it is only increasing in pace,” Melodia noted.  A company’s cyber risk can directly affect its value in an M&A context.  This is where “cyber risk meets the deal,” he said.

    Read Full Article …
  • From Vol. 1 No.7 (Jul. 1, 2015)

    Regulatory Compliance and Practical Elements of Cybersecurity Testing for Fund Managers (Part Two of Two)

    Cybersecurity is one important element of an investment manager’s overall regulatory compliance responsibilities.  Although not explicitly required by SEC regulations, it is clear that the SEC and other regulators expect fund managers to test for cybersecurity vulnerabilities and preparedness.  A recent program sponsored by K&L Gates and the Investment Advisors’ Association featuring experts from those entities as well as BNY Mellon and Nth Generation explored the most effective and efficient testing methods   This article, the second in a two-part series, discusses testing approaches; vulnerability assessments; penetration testing; and recent SEC and private litigation on cybersecurity matters.  The first article summarized the panelists’ discussion of the legal and compliance framework for cybersecurity testing; testing considerations; and how to leverage OCIE’s recent cybersecurity examination initiative to improve cybersecurity compliance and testing.  See also “The SEC’s Two Primary Theories in Cybersecurity Enforcement Actions,” The Cybersecurity Law Report, Vol. 1, No. 1 (Apr. 8, 2015).

    Read Full Article …
  • From Vol. 1 No.4 (May 20, 2015)

    Weil Gotshal Attorneys Advise on Key Ways to Anticipate and Counter Cyber Threats

    How to handle five data privacy danger zones; the board’s role in cybersecurity; public relations strategies after a breach; and clauses to include in cloud vendor contracts were among the hot topics Weil, Gotshal & Manges attorneys discussed at a recent conference.  Partners Carrie Mahan Anderson, Jeffrey S. Klein, P.J. Himelfarb, Jeffrey D. Osterman and Michael A. Epstein shared their advice in the panel discussion.

    Read Full Article …
  • From Vol. 1 No.1 (Apr. 8, 2015)

    The SEC’s Two Primary Theories in Cybersecurity Enforcement Actions

    When a data security incident has been identified, a company’s initial priorities include understanding, containing and remedying the vulnerabilities.  In the aftermath of a data security incident, however, companies often have to focus nearly as quickly on responding to inquiries from an expanding array of federal, state, and local regulators and law enforcement agencies, including state attorneys general and the FTC.  The SEC is a more recent entrant into the cybersecurity enforcement arena.  It has dramatically increased its focus on these issues in the last four years, and it has signaled an intent to continue to expand its efforts.  This is true not only for financial institutions subject to extensive SEC oversight – such as broker-dealers and investment advisers – but for all publicly-traded companies.  In a guest article, Daniel F. Schubert and Jonathan G. Cedarbaum, partners at WilmerHale, and Leah Schloss, a WilmerHale associate, explain the SEC’s role in cybersecurity enforcement, the SEC’s two primary theories in cyber-related enforcement actions and another theory that the SEC may use to broaden its cyber enforcement authority.

    Read Full Article …