cybersecurity

Subscribe to cybersecurity via RSS

In a development in an enforcement action that is the first of its kind, the SEC has levied a $35 million penalty against Altaba, Inc. as successor in interest to Yahoo, for Yahoo’s two-year delay in reporting the massive data breach the company experienced in December 2014. Altaba, which neither admitted nor denied any wrongdoing, agreed to pay the penalty as part of the settled resolution of SEC cease-and-desist proceedings. The penalty follows the SEC’s recent release of cybersecurity disclosure guidance for reporting companies and clearly indicates that the agency is increasingly focused on companies’ cybersecurity disclosure practices. The SEC’s April 24, 2018 press release about the penalty can be found here. The SEC’s April 24, 2018 order in the cease-and-desist proceedings can be found here.
Continue Reading First-Ever SEC Data Breach Disclosure Enforcement Penalty Imposed

David Fontaine
John Reed Stark

As I noted in a post at the time, on February 21, 2018, the SEC released its cybersecurity disclosure guidance for publicly traded companies. In the following guest post, David Fontaine, CEO of Kroll, Inc. and its parent, Corporate Risk Holdings, and John Reed Stark, President of John Reed Stark Consulting and former Chief of the SEC’s Office of Internet Enforcement, take a look at the SEC’s guidance, with a particular focus on what the agency’s statement has to say about the duties of corporate directors. A version of this article originally appeared on The Harvard Law School Forum on Corporate Governance and Financial Regulation (Here). I would like to thank David and John for their willingness to allow me to publish their article as a guest post on this site. I welcome guest post submissions from responsible authors on topics of interest to this blog’s readers. Please contact me directly if you would like to submit a guest post. Here is David and John’s article.
Continue Reading Guest Post: Cybersecurity: The SEC’s Wake-Up Call to Corporate Directors

John Reed Stark

As I noted in a post at the time, on February 20, 2018, the SEC issued its guidance for cybersecurity-related disclosures. In the following guest post, John Reed Stark, President of John Reed Stark Consulting and former Chief of the SEC’s Office of Internet Enforcement, has pulled together of list of 12 takeaways for corporate officials from the SEC’s guidance. I would like to thank John for his willingness to allow me to publish his article as a guest post on this site. I welcome guest post submissions from responsible authors on topics of interest to this blog’s readers. Please contact me directly if you would like to submit a guest post. Here is John’s article.
Continue Reading Guest Post: A Dozen C-Suite Takeaways from the 2018 SEC Cyber-Disclosure Guidance

After a bit of last-minute drama, the SEC on Wednesday issued its guidance for public company cybersecurity disclosures. The Commission’s guidance document emphasizes companies’ disclosure obligations under existing law and requirements. The statement also underscores the Commission’s concerns about insider trading prohibitions and the obligation of reporting companies to refrain from making selective disclosures about nonpublic information. As discussed below, the Commission’s Democratic members criticized the statement for not going far enough. The Commission’s February 21, 2018 press release about the cybersecurity disclosure guidance can be found here. The Commission’s statement and guidance on cybersecurity disclosure can be found here. SEC Chair Jay Clayton’s statement about the Commission’s guidance can be found here.
Continue Reading SEC Releases Cybersecurity Disclosure Guidance

It is now well known and understood that cybersecurity is a board level issue. This generalization is true not just for companies in the United States but for all companies around the world. In the following guest post, Joel Pridmore, Asia Pacific Underwriting Manager, Specialty, Corporate Insurance Partner, Munich Re Group, Saket Modi, CEO of Lucideus Technologies Pvt Ltd, and Richa Shukla, Partner, Khaitan Legal Associates take a look at this issue, with a particular focus on concerns for Indian companies. I would like to thank the authors for allowing me to publish their article as a guest post. I welcome guest post submissions from responsible authors on topics of interest to this site’s readers. Please contact me directly if you would like to submit a guest post. Here is the authors’ guest post.
Continue Reading Guest Post: Cyber Risk: A Board Level View

Keith B. Daniels, Jr.

The European Union General Data Protection Regulation (GDPR) is scheduled to go into effect in May 2018. This directive has significant implications for any company that offers product or services to EU residents. In the following guest post, Keith B. Daniels, Jr., Esq., an attorney and the founder of CyberCounsel, takes a detailed look at the EU directive and reviews its implications for affected companies and their insurers. I would like to thank Keith for allowing me to publish his article on my site. I welcome guest post submissions from responsible authors on topics of interest to this blog’s readers. Please contact me directly if you would like to submit a guest post. Here is Keith’s article.
Continue Reading Guest Post: Directors Beware: The EU’s General Data Protection Regulation Is Upon Us!

David M. Furbush
David M. Lisi

Cybersecurity issues are currently at the top of the agenda for corporate boards. In the following guest post, David M. Furbush and David M. Lisi of the Pillsbury law firm review what corporate directors should understand about their companies’ cybersecurity risks and how boards can go about proactively participating in decisions about what to do to mitigate these risks. I would like to thank David and David for their willingness to allow me to publish their article as a guest post on this site. I welcome guest post submissions from responsible authors on topics of interest to this blog’s readers. Please contact me directly if you would like to submit a guest post. Here is David and David’s guest post.
Continue Reading Guest Post: What Corporate Directors Need to Know about Cybersecurity

Andrew G. Lipton
Laura Schmidt

Although a number of high-profile data breaches have led to D&O claims, so far the plaintiffs’ track record in these kinds of cases has been poor. However, as a result of a number of recent developments, there may be good reason for corporate directors and officers to be concerned about these kinds of claims going forward, as discussed in the following guest post by Andrew G. Lipton and Laura Schmidt, both associates at the White & Williams law firm. I would like to thank Andrew and Laura for submitting their article for publication as a guest post. I welcome guest post submissions from responsible authors on topics of interest to this site’s readers. Please contact me directly if you would like to submit a guest post. Here is Andrew and Laura’s guest post.  
Continue Reading Guest Post: Breaching the Firewall: D&O Exposure from Cybersecurity Incidents

One of the fundamental principles on which our system of securities regulation is based is the importance of disclosure. The system is built on the notion that companies must disclose certain basic information about their operations and performance so that investors can make informed investment decisions. While the disclosures required are a matter of regulation and statute, investors’ and regulators’ expectations about what must be disclosed changes over time. Signs are that disclosure expectations  — and as a result disclosure practices — are changing rapidly in two particular areas: cybersecurity and climate change.
Continue Reading Now Trending: Cybersecurity and Climate Change Disclosure Practices