In a move that may set a record for hacking chutzpah, a cyber ransom gang has filed a complaint with the SEC reporting that a company they hacked had failed to report the incident to the SEC within the time required by the agency’s new cybersecurity disclosure guidelines. The gang apparently filed the complaint after the hacked company failed to respond to the hackers’ ransom demand. The hacking incident and the SEC report were first reported in a November 15, 2023, post on the DataBreaches.net site, and further detailed in a November 15, 2023, post on the BleepingComputer.com site.Continue Reading Hackers Complain to SEC Company They Hacked Failed to Disclose the Incident
As I discussed in a post at the time (here), in August 2021 the SEC brought an cybersecurity-related disclosure enforcement action against UK educational publishing firm Pearson plc. In the following guest post, Paul Ferrillo, Daphne Morduchowitz and James Billings-Kang take a detailed look at the Pearson enforcement action and discuss the action’s implications. Paul and Daphne are partners and James is an associate at the Seyfarth Shaw law firm. I would like to thank the authors for allowing me to publish their article as a guest post on this site. I welcome guest post submissions from responsible authors on topics of interest to this blog’s readers. Please contact me directly if you would like to submit a guest post. Here is the authors’ article.
Continue Reading SEC Ramps Up Its Cyber-Security Enforcement in Pearson Matter
Every year after Labor Day, I take a step back and survey the most important current trends and developments in the world of Directors’ and Officers’ liability and insurance. This year’s review is set out below. As the following discussion shows, this is a particularly eventful time in the world of D&O.
Continue Reading What to Watch Now in the World of D&O
On June 15, 2021, the SEC announced that that it had settled charges that a title insurance company’s cybersecurity disclosure controls and procedures violated the agency’s public company reporting requirements. The title insurance company, First American Financial Corp., which neither admitted or denied the charges, agreed to a cease-and-desist order and to pay a penalty. The charges do not represent the first time the SEC has pursued actions against a company for cybersecurity-related disclosures, but they do underscore the agency’s focus on cybersecurity disclosure-related issues, a topic that may be a source of increased focus ahead.
Continue Reading Title Insurance Company Settles SEC Cybersecurity Disclosure-Related Charges
In February 2018, the SEC updated its cybersecurity disclosure guidelines for reporting companies, emphasizing the importance to investors and markets for prompt and robust disclosure relating to cyber issues. Indeed, in April, the agency brought its first enforcement action relating to cybersecurity enforcement issues. In its recent annual report, the agency’s enforcement division emphasized that cybersecurity disclosure is a priority issue. Clearly, public company’s cybersecurity-related disclosure practices are receiving a great deal of attention and scrutiny.
But what are public companies actually doing in terms of cybersecurity disclosures? A recent study by EY took a look at the actual cybersecurity disclosure practices. Their analysis shows that cybersecurity-related disclosure practices “vary widely,” suggesting there is an “opportunity for enhancement.” The October 22, 2018 report, entitled “Cybersecurity Disclosure Benchmarking,” can be found here.
Continue Reading Cybersecurity Disclosure Practices and Standards
Earlier this week, media reports circulated that this past spring Google had exposed the private data of thousands of the Google+ social network users and then opted not to disclose the issue, in part because of concerns that doing so would draw regulatory scrutiny and cause reputational damage. In the wake of these revelations, one question is whether the SEC will look into these circumstances. In the following guest post, John Reed Stark, President of John Reed Stark Consulting and former Chief of the SEC’s Office of Internet Enforcement, takes a look at what he regards as a likely SEC investigation and the questions that the SEC likely will be asking. A version of this article originally appeared on Securities Docket. I would like to thank John for allowing me to publish his article on this site. I welcome guest post submissions from responsible authors on topics of interest to this blog’s readers. Please contact me directly if you would like to submit an article. Here is John’s post.
Continue Reading Guest Post: Ten Questions the SEC Will Probably Be Asking Google