In February 2018, the SEC updated its cybersecurity disclosure guidelines for reporting companies, emphasizing the importance to investors and markets for prompt and robust disclosure relating to cyber issues. Indeed, in April, the agency brought its first enforcement action relating to cybersecurity enforcement issues. In its recent annual report, the agency’s enforcement division emphasized that cybersecurity disclosure is a priority issue. Clearly, public company’s cybersecurity-related disclosure practices are receiving a great deal of attention and scrutiny.

But what are public companies actually doing in terms of cybersecurity disclosures? A recent study by EY took a look at the actual cybersecurity disclosure practices. Their analysis shows that cybersecurity-related disclosure practices “vary widely,” suggesting there is an “opportunity for enhancement.” The October 22, 2018 report, entitled “Cybersecurity Disclosure Benchmarking,” can be found here.
Continue Reading Cybersecurity Disclosure Practices and Standards

It is now well known and understood that cybersecurity is a board level issue. This generalization is true not just for companies in the United States but for all companies around the world. In the following guest post, Joel Pridmore, Asia Pacific Underwriting Manager, Specialty, Corporate Insurance Partner, Munich Re Group, Saket Modi, CEO of Lucideus Technologies Pvt Ltd, and Richa Shukla, Partner, Khaitan Legal Associates take a look at this issue, with a particular focus on concerns for Indian companies. I would like to thank the authors for allowing me to publish their article as a guest post. I welcome guest post submissions from responsible authors on topics of interest to this site’s readers. Please contact me directly if you would like to submit a guest post. Here is the authors’ guest post.
Continue Reading Guest Post: Cyber Risk: A Board Level View

Stark Photo
John Reed Stark
Fontaine
David Fontaine

In this day and age, the members of the boards of directors of most companies understand that cybersecurity issues are both important and should be a board-level priority. But while these issues and responsibilities are now well-recognized, many boards still struggle to translate these issues into action. In the following guest post from John Reed Stark, President, John Reed Stark Consulting LLC, and David R. Fontaine, President, Corporate Risk Holdings[1] take a look at these challenges and propose that in addressing their cybersecurity-related responsibilities boards should draw upon the same governance procedures they have longed used for with respect to financial accounting and reporting. The authors suggest well-advised boards will take this approach in light of the very real, difficult to control and ever increasing enterprise threat that cyber-attack represent for their organizations.
Continue Reading Guest Post: Boards of Directors and Cybersecurity: Applying Lessons Learned From 70 Years of Financial Reporting Oversight