The Cybersecurity Law Report

Incisive intelligence on cybersecurity law and regulation

Articles By Topic

By Topic: Self-Reporting

  • From Vol. 1 No.11 (Aug. 26, 2015)

    Meeting Expectations for SEC Disclosures of Cybersecurity Risks and Incidents (Part Two of Two)

    Public companies grapple with when and how to disclose the various cybersecurity risks they face and the incidents they experience in their SEC filings.  How much is enough to disclose to satisfy regulators and how much is too much – both to preserve reputations and avoid giving would-be hackers ammunition?  The first part of this two-part article series provided guidance on making appropriate disclosures to meet SEC and investor expectations.  This second part provides suggestions on risk themes to include in risk disclosures as well as examples of relevant disclosures made in the 10-K filings for The New York Times, Home Depot, Morgan Stanley and Target.  See also “The SEC’s Two Primary Theories in Cybersecurity Enforcement Actions,” The Cybersecurity Law Report, Vol. 1, No. 1 (Apr. 8, 2015).

    Read Full Article …
  • From Vol. 1 No.10 (Aug. 12, 2015)

    Meeting Expectations for SEC Disclosures of Cybersecurity Risks and Incidents (Part One of Two)

    The SEC has made clear that material cybersecurity risks and incidents should be disclosed to investors.  However, determining what is material, as well as when and how to disclose, is less clear.  This article, the first in a two-part series, provides guidance on how to make appropriate disclosures that will meet the expectations of the SEC and investors regarding form, substance and timing.  The second article will provide suggestions and examples for language to use in disclosures.  See also “The SEC’s Updated Cybersecurity Guidance Urges Program Assessments,” The Cybersecurity Law Report, Vol. 1, No. 3 (May 6, 2015).

    Read Full Article …
  • From Vol. 1 No.4 (May 20, 2015)

    DOJ Encourages Cyber Incident Reporting and Advance Planning with Best Practices Guidance

    Following other government agencies who have weighed in on cybersecurity, the DOJ’s Cybersecurity Unit has published guidance titled “Best Practices for Victim Response and Reporting of Cyber Incidents,” outlining its recommendations for steps to take prior to a cyber incident; how to respond to an incident, including mistakes often made in the chaos following an incident; and effective follow-up actions.  Experts say that while it is nothing new, the document does emphasize the government’s expectations.  The Guidance “reinforces the notion that a ‘check-the-box’ approach to cybersecurity does not suffice.  Companies must implement a thoughtful, robust and effective plan that is tailored to the company’s particular business, risks and operations,” Richard Tarlowe, counsel at Paul, Weiss told The Cybersecurity Law Report.

    Read Full Article …