In a shocking show of gumption, a ransomware gang has reportedly not only hacked a US public company’s (MeridianLink) IT systems, but also filed a complaint on the SEC’s Tips, Complaints, and Referrals page, regarding Meridian Link’s claimed failure to disclose the incident in an 8-K in violation of the SEC’s new cybersecurity rules. Even though public companies are not yet required to comply with the new cybersecurity disclosure rules (8-K requirement goes effective on…
In many ways, the Securities and Exchange Commission’s (“SEC”) October 30, 2023 enforcement action against software company SolarWinds Corporation (“SolarWinds”) and its chief information security officer (“CISO”) is a typical securities case. The first four counts involve alleged material misstatements by the public company related to widely reported operational turmoil that allegedly materially impacted the company. But aspects of the case may signal a change in how the SEC looks at cyber incidents, including internal…
In this episode, Cynthia Cole, IP & Technology Partner based in Palo Alto, is joined by Jerome Tomas, Chair of the Firm’s Securities and Exchange (SEC) and Financial Institutions Enforcement Group based in Chicago, as the two discuss the SEC’s recently issued Final Rules for Cyber and what this means for public companies. Listen in to learn more about: Why should you care? The SEC has brought enforcement actions before based on data breach disclosure-what’s different…
In brief On July 26, 2023, the U.S. Securities and Exchange Commission (“SEC”) approved the final rules for Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure (“Final Rules”). As previously reported, the SEC first proposed amendments to its rules on disclosures regarding cybersecurity risk management, strategy, governance, and incident reporting by public companies on March 9, 2022 (“Proposed Rules”). Similar to the Proposed Rules, the Final Rules, broadly speaking, require (i) issuers to make disclosures…
In Brief On March 15, 2023, the US Securities Exchange Commission (“SEC”) proposed amendments to Regulation S-P (“Reg S-P”). If adopted, the amendments would introduce new data security and governance requirements for broker-dealers, investment companies, and investment advisers registered with the SEC. Background When the SEC first promulgated Regulation S-P in 2000, the goal was to ensure that covered entities establish adequate safeguards to protect customer information. The existing version consists essentially of two cornerstone…
In brief On March 9, 2022, the U.S. Securities and Exchange Commission (“SEC”) proposed amendments to its rules on disclosures regarding cybersecurity risk management, strategy, governance, and incident reporting by public companies. These rules are intended to enhance and standardize cybersecurity disclosures, and, if adopted in their current form, would require public companies to disclose cybersecurity-related policies, procedures and all material cybersecurity incidents. Key takeaways On March 9, 2022, the SEC proposed new disclosure requirements…
Commission Seeks Public Comment on Wide Range of Issues in Proposal On February 9, 2022, the Securities and Exchange Commission (SEC or Commission) voted 3-1, with Commissioner Peirce, the lone remaining Republican appointee opposed, to propose new rules under the Investment Advisers Act of 1940 (Advisers Act) and the Investment Company Act of 1940 (Investment Company Act) related to cybersecurity risk management, reporting of breach events, and recordkeeping for registered investment advisers and investment funds.1 If…
As predicted in our Connect on Tech discussion in March, the U.S. Securities and Exchange Commission (“SEC”) is ramping up its examination and enforcement focus on cybersecurity at financial institutions, including scrutiny on actual implementation and deployment of published procedures in response to discovery of cyber breach incidents. Furthermore, the SEC appears to signal its expectation that multi-factor authentication (“MFA”) for email accounts containing sensitive client and customer information should be in place. Email Account…
The Securities and Exchange Commission fined a real estate services company for inadequate disclosure controls and procedures violations related to a cybersecurity vulnerability that exposed hundreds of thousands of sensitive customer records. Background In 2019, a cybersecurity journalist discovered and notified the real estate services company about a vulnerability with its document and images sharing app that exposed over 800 million images dating back to 2003, including documents that contained sensitive personal information such as…
Partners Peter Chan and Valerie Mirko join Brian Hengesbaugh to discuss the SEC and cybersecurity, leveraging their own experiences with the agency to give an overview of the past, present and future. Listen to learn about: The evolution of the SEC’s focus on cybersecurity, particularly with regard to financial institutionsAn insider’s take on what may trigger SEC investigationWhat’s in store with the Biden administration and how companies should prepare https://open.spotify.com/episode/5Z4nHbjxtrntljyEBMRRqF?si=J3ucfdTRQF6lArxRf540FA Related Resources: SEC Announces 2021…