cyber disclosure

Subscribe to cyber disclosure via RSS

In what seems is likely to be the last cybersecurity-related enforcement action by the SEC under outgoing chair Gary Gensler, the agency has brought a settled enforcement action against asset management firm Ashford, Inc., alleging that the company made misrepresentations in its periodic reporting documents about a cybersecurity-related incident at the firm. As discussed below, the action raises questions about what may come next as far as SEC cybersecurity-related enforcement under the new administration. A copy of the SEC’s January 13, 2025, complaint in the enforcement action can be found here. The SEC’s January 13, 2025, press release about the action can be found here.Continue Reading SEC Files Cyber Disclosure Enforcement Action Against Asset Manager

Cybersecurity threats are on the rise. Companies that find themselves hit with data breaches face a number of challenges, including in particular the challenge of responding to strict breach disclosure and notification requirements. In the following guest post, Paul A. Ferrillo, a shareholder in the Greenberg Traurig law firm’s Cybersecurity, Privacy, and Crisis Management Practice, takes a look at the steps the companies can take before they are breached to be better positioned to respond to the notification requirements in the event of a breach. I would like to thank Paul for allowing me to publish his article as a guest post. I welcome guest post submissions from responsible authors on topics of interest to this blog’s readers. Please contact me directly if you would like to submit a guest post. Here is Paul’s article.
Continue Reading Guest Post: Beat the Clock: 5 Important Steps to Deal with Today’s Complicated Cyber Breach Disclosure World

Both the volume of SEC enforcement activity and the level of financial recoveries increased in the fiscal year that ended September 30, 2018, according to the agency’s annual enforcement activity report. The increases came after activity had been down in the prior year, the first year under the current presidential administration. However, the agency’s enforcement chiefs cautioned against placing too much weight on the numbers alone. The report contains some interesting signs of what we might expect in the current fiscal year. The SEC’s enforcement report can be found here. The agency’s November 2, 2018 press release about the report can be found here.
Continue Reading SEC 2018 FY Enforcement Report Shows Increased Activity, Recoveries

John Reed Stark

As I noted in a post at the time, on February 20, 2018, the SEC issued its guidance for cybersecurity-related disclosures. In the following guest post, John Reed Stark, President of John Reed Stark Consulting and former Chief of the SEC’s Office of Internet Enforcement, has pulled together of list of 12 takeaways for corporate officials from the SEC’s guidance. I would like to thank John for his willingness to allow me to publish his article as a guest post on this site. I welcome guest post submissions from responsible authors on topics of interest to this blog’s readers. Please contact me directly if you would like to submit a guest post. Here is John’s article.
Continue Reading Guest Post: A Dozen C-Suite Takeaways from the 2018 SEC Cyber-Disclosure Guidance

After a bit of last-minute drama, the SEC on Wednesday issued its guidance for public company cybersecurity disclosures. The Commission’s guidance document emphasizes companies’ disclosure obligations under existing law and requirements. The statement also underscores the Commission’s concerns about insider trading prohibitions and the obligation of reporting companies to refrain from making selective disclosures about nonpublic information. As discussed below, the Commission’s Democratic members criticized the statement for not going far enough. The Commission’s February 21, 2018 press release about the cybersecurity disclosure guidance can be found here. The Commission’s statement and guidance on cybersecurity disclosure can be found here. SEC Chair Jay Clayton’s statement about the Commission’s guidance can be found here.
Continue Reading SEC Releases Cybersecurity Disclosure Guidance

yahooEver since the SEC released its cyber security disclosure guidelines in October 2011, commentators (including me) have been speculating whether the agency might try to nab a company whose disclosure practices the agency might use as sort of a test case on the guidelines’ requirements.  It now appears, at least based on media reports, the SEC is investigating Yahoo in what may yet become the long-anticipated test case. According to a front page January 23, 2017 Wall Street Journal article (here), the SEC has opened an investigation looking into Yahoo, Inc.’s disclosures of two massive data breaches the company reported last year.
Continue Reading Will Yahoo’s Data Breach Reporting Become the Test Case for the SEC’s Cyber Disclosure Guidelines?

cfpbUntil now, the primary federal agency regulating data security has been the Federal Trade Commission. Indeed, in August 2015, the Third Circuit in the Wyndham Worldwide case affirmed the FTC’s regulatory enforcement authority against companies failing to take appropriate action to protect consumer financial information. However, other federal regulatory agencies are now increasing asserting their authority with respect to data security issues, including in particular, the Consumer Financial Protection Bureau (CFPB), which recently brought its first data security enforcement action. These developments underscore the fact that companies face a growing regulatory exposure relating to cybersecurity issues. The specific recent developments also highlight the expectations regulators are asserting with respect to board responsibility for cybersecurity issues and establish that companies can face data security enforcement action even if the companies have not themselves experienced a data breach.
Continue Reading Federal Agencies Joining the Data Security Enforcement Action Bandwagon

capitoldomeIt is not news that cybersecurity is a serious corporate and domestic security concern. But despite continuing revelations of high-profile data breaches, cybersecurity is an area (OK, one of the many areas) where Congress has been slow to act. While there is still as yet no comprehensive Congressional attempt to tackle cybersecurity as an issue and as a phenomenon, two U.S. senators have now introduced a bipartisan bill that would require publicly traded companies to disclose the cybersecurity expertise or experience that is represented on its board of directors or to disclose what other steps the company has taken to identify or evaluate nominees for this board level cybersecurity position.
Continue Reading Senate Bill Would Require Disclosure Concerning Corporate Boards’ Cybersecurity Expertise

whAs previously discussed on this blog (refer for example here), over the years there have been a number of different responses from the federal government to the threat of cyberattacks on U.S. companies and infrastructure, but overall the government’s track record on the issue is mixed. However, according to a January 12, 2015 Wall

dojCybersecurity has been a hot button issue for quite a while, but the U.S. Department of Justice ratcheted things up last week when it announced the indictment of five Chinese military officers for hacking into U.S. companies’ computers to steal trade secrets and other sensitive business information. U.S. prosecutors clearly believe the intrusions were serious