On July 26, 2023, a divided SEC adopted, by a 3-2 vote, final rules for cybersecurity disclosures. The final rules are based on proposed rules the agency first introduced in March 2022. The rules require companies to disclose material cybersecurity incidents they experience, and also to disclose on an annual basis material information regarding their cybersecurity risk management and governance. The rules will have a significant impact on reporting companies’ disclosure practices and could present a challenge for some companies. A copy of the final cybersecurity disclosure rules can be found here. The SEC’s July 26, 2023, press release about the final cybersecurity disclosure rules can be found here. The SEC’s two-page fact sheet about the new rules can be found here.

Continue Reading SEC Adopts Final Cybersecurity Disclosure Rules

As I noted in my year-end round up of D&O related issues (here), plaintiffs’ lawyers have continued to file securities class action lawsuits following cybersecurity incidents, even though the plaintiffs’ track record in these kinds of lawsuits generally has been poor. Among the cybersecurity-related securities lawsuits filed last year was the suit against cloud-based software company Okta relating in part to the cybersecurity incident at the company earlier in the year. Consistent with the general trend, on March 31, 2023, the court presiding over the Okta securities lawsuit granted the defendants’ motion to dismiss the cybersecurity-related allegations, although the court denied the dismissal motion with respect to certain of the plaintiffs’ other unrelated allegations. The court granted the plaintiff leave to amend the dismissed allegations. The court’s March 31, 2023, order can be found here.

Continue Reading Cybersecurity-Related Securities Suit Allegations Against Okta Dismissed

For several years now, one of the perennial questions in the corporate and securities arena has been the extent to which cybersecurity-related issues will contribute to D&O claims. There has never really been the volume of securities and derivative lawsuits that some observers expected, but there has been a small scattering of occasional suits filed from time to time. Now, in what is the latest cybersecurity-related D&O suit, a plaintiff shareholder has filed securities class action lawsuit against pay-TV services provider, Dish Networks, related to a network service disruption at the company caused by a cyber-security incident. A copy of the March 23, 2023, complaint can be found here.

Continue Reading Dish Networks Hit with Cybersecurity-Related Securities Suit

On March 9, 2023, the SEC announced that it had settled charges that data management software company Blackbaud, Inc. had settled charges that the company’s cybersecurity disclosure policies and procedures violated the agency’s public company disclosure reporting requirements and that the company had made misleading disclosures about a 2020 ransomware attack that impacted more that 13,000 of its customers. The company, which neither admitted or denied the charges, agreed to a cease-and-desist order and to pay a $3 million penalty. The action, which follows a similar proceeding involving cybersecurity disclosures and procedures, highlights the agency’s focus on cybersecurity-related disclosures.

Continue Reading SEC Charges Company Over Disclosures Concerning Ransomware Attack

The directors’ and officers’ liability environment is always changing, but 2022 was a particularly eventful year, with important consequences for the D&O insurance marketplace. The past year’s many developments also have significant implications for what may lie ahead in 2023 – and possibly for years to come.  I have set out below the Top Ten D&O Stories of 2022, with a focus on future implications. Please note that on Thursday, January 12, 2023 at 11:00 AM EST, my colleagues Marissa Streckfus, Chris Bertola, and I will be conducting a free, hour-long webinar in which we will discuss The Top Ten D&O Stories of 2022. Registration for the webinar can be found here. I hope you will please join us for the webinar.

Continue Reading The Top Ten D&O Stories of 2022

Jarett Sena

As I have noted in numerous posts on this site (most recently here), plaintiffs’ lawyers seem drawn to filing D&O claims against companies that have experience cybersecurity incidents. But as I have also noted, the plaintiffs’ lawyers’ track record in these cases is not particularly good. However, as discussed in the following guest post by Jarett Sena, Director of Litigation Analysis, ISS Securities Class Action Services, the cybersecurity-related securities class action lawsuit pending against SolarWinds recently resulted in a significant  and noteworthy settlement. This article previously was published on ISS Securities Services’ ISS Insights. I would like to thank Jarett and ISS Securities Class Action Services for allowing me to publish this article as a guest post on this site. I welcome guest post submissions from responsible authors on topics of interest to this blog’s readers. Please contact me directly if you would like to submit a guest post. Here is Jarett’s article.
Continue Reading Guest Post: SolarWinds Agrees to $26 Million Payout Over Massive Data Breach

In numerous prior posts I have examined efforts by plaintiffs’ attorneys to try to impose civil liability on corporate executives in D&O claims following cyber security incidents. Two recent cases show that, in addition to potential civil litigation liability exposure, corporate executives may also face potential regulatory liability and even criminal liability exposure for cyber security incidents at their company. The two recent cases are discussed in an October 27, 2022 memo from the White and Case law firm, here.
Continue Reading Corporate Executives Face Personal Liability Exposure for Cyber Incidents

In prior posts on this site (for example here), I have expressed my concern that the current hot topic of ESG has a fundamental underlying flaw in that the term lacks definition and that this lack of precision has led to a great deal of sloppy thinking. A recent post on the Harvard Law School Forum on Corporate Governance provides a good examination of these ESG-related concerns. In an October 14, 2022 post (here), Douglas Chia of Soundboard Governance LLC, shows, using cybersecurity as an example, that one of the “biggest flaws” of ESG is “the subjective open-endedness of what counts as E, S, or G.”
Continue Reading ESG’s “Biggest Risk”?

The payment technology firm Block, Inc. (formerly known as Square) has been hit with a securities class action lawsuit related to the company’s announcement earlier this year that a former employee had improperly accessed and downloaded company customer data. The new lawsuit is the latest example of the ways in which data security incidents can translate into D&O claims. The complaint, filed on October 11, 2022, can be found here.
Continue Reading Payments Company Hit With Data Breach-Related Securities Suit