Earlier today, our colleagues David Engvall, Keir Gumbs, Reid Hooper, and Matthew Wood in the Securities and Capital Markets practice group posted the below article on the SEC’s new statement and interpretive guidance on public company cybersecurity disclosures and insider trading on the Cov Financial Services blog.  The original article can be read here.

On February 21, 2018, the U.S. Securities and Exchange Commission (the “Commission”) approved a statement and interpretive guidance that provides the Commission’s views on a public company’s disclosure obligations concerning cybersecurity risks and incidents (the “2018 Commission Guidance”). This guidance reinforces and expands upon previous cybersecurity disclosure guidance issued by the Division of Corporation Finance (the “Staff”) in October 2011  (the “2011 Staff Guidance”).  The 2018 Commission Guidance also focuses on two additional issues: (i) maintenance of comprehensive policies and procedures related to cybersecurity, including sufficient disclosure controls and procedures, and (ii) insider trading in the cybersecurity context.

Continue Reading SEC Adopts New Guidance on Public Company Cybersecurity Disclosures and Insider Trading

The Securities and Exchange Commission’s (“SEC”) Office of Compliance Inspections and Examinations (“OCIE”) and the Financial Industry Regulatory Authority, Inc. (“FINRA”) (a private self-regulatory organization overseen by OCIE), recently released their 2017 examination priorities.  It is no surprise to find cybersecurity listed as an examination priority again this year.

OCIE and FINRA have repeatedly recognized

By Ciarra Chavarria

On June 8, 2016, the Securities and Exchange Commission announced that Morgan Stanley Smith Barney LLC (“Morgan Stanley”) had agreed to pay $1 million as a penalty for charges relating to its “failures to protect customer information.”

Morgan Stanley’s settlement with the SEC came several months after a federal court found one of Morgan Stanley’s former financial advisers, Galen Marsh, guilty of illegally uploading confidential information from approximately 730,000 of Morgan Stanley’s clients to his personal computer. Marsh’s server was later hacked by third parties and confidential information of at least 900 clients appeared online for sale.  Marsh was sentenced to thirty-six months of probation and a $600,000 fine.
Continue Reading Morgan Stanley to Pay $1 Million Penalty in SEC Cybersecurity Settlement

On December 17, 2015, Senators Reed (D-RI) and Collins (R-ME) introduced the Cybersecurity Disclosure Act of 2015 (S. 2410), which has been referred to the Committee on Banking, Housing, and Urban Affairs.  According to the press release accompanying the bill, it “seeks to strengthen and prioritize cybersecurity at publicly traded companies by encouraging the disclosure of cybersecurity expertise, or lack thereof, on corporate boards at these companies.”

The bill applies to “reporting companies,” defined as companies that issue registered securities under 15 U.S.C. § 78l or companies that are required to file reports with the Securities and Exchange Commission (“SEC”) under 15 U.S.C. § 78o(d).  It requires the SEC to issue rules within one year of enactment that require reporting companies to include disclosures relating to the cybersecurity expertise of their corporate boards in their annual reports.
Continue Reading Senators Introduce Bill Requiring Cybersecurity Expertise Reports to SEC

Recent discoveries of data security breaches have raised a perennial question for public companies:  are public companies required by law or practice to provide material updates to their investors when bad things happen?  The answer can be quite surprising. 

Disclosure at the Time of the Event

As a threshold matter, federal securities law does not explicitly impose an affirmative duty on issuers to disclose data security breaches or failed attempts to breach a company’s data security.  There is no specific line item in any SEC disclosure document, rule or regulation that specifically requires such disclosures.  In this regard, federal securities law does not require the disclosure of this, or other information, solely because it might be “material.”  Instead, the determination of whether material information is required to be disclosed depends on whether such information is required to be disclosed in the applicable form, or is necessary to make other statements made not misleading. 

For example, Form 8-K, the form that is generally used to provide markets and investors with current information, is only required to be filed when one of the specific items included in the form are triggered.  These include things such as entry or termination of material contracts, the acquisition or disposition of a material business or a material amount of assets, the appointment or termination of executive officers or directors and similar occurrences.  Any events that do not involve one of the enumerated triggers may be filed under Item 8.01 as an “Other Event” or under Item 7.01 as “Regulation FD Disclosure,” which is intended to allow companies to comply with Regulation FD, which generally requires that companies publicly disclose information that they intend to disclose privately to investors or others.  Form 8-K does not include a specific line item relating to data security breaches or similar events – even if such events are material.

Continue Reading When are Public Companies Required to Disclose that They Have Experienced a Material Data Security Breach?

Routine SEC examinations of investment advisers and investment companies this year will include scrutiny of these entities’ cybersecurity policies, an SEC official told attendees Thursday at a national agency-hosted compliance seminar.

The SEC’s Regulation S-P, which implements the federal Gramm-Leach-Bliley Act, requires brokers, dealers, investment companies, and registered investment advisers to “adopt policies and

Last week, the Securities and Exchange Commission (SEC) and Commodity Futures Trading Commission (CFTC) published in the Federal Register a joint rule requiring entities regulated by the agencies to adopt programs to detect and prevent identity theft.  The rule is referred to as the “red flags rule” and applies to certain broker-dealers, mutual funds, investment advisers, futures

Despite studies indicating that data security is a top concern for executives and corporate boards — a development we previously blogged about here — barely half of employees are familiar with their company’s information security policies, according to a survey by Forrester Research.  The report explains, “only 56 percent of information workers in North America and Europe say that they are aware of their organisation’s current security policies.” 

This lack of awareness and employee training undoubtedly contributes to the ongoing problem of data breaches, many of which are caused by employee carelessness.  According to the same Forrester study, 31% of data breaches are attributable to simple loss or theft, such as employees losing laptops or USB drives; another 27% are caused by employees inadvertently misusing corporate assets.  A Ponemon Institute survey of 49 U.S. companies similarly found that negligent insiders were the root cause of 39% of data breaches studied. 

The Forrester report and similar surveys have found other surprisingly common data security weaknesses:

Continue Reading Surveys Reveal Surprisingly Common Data Security Shortcomings

Yesterday, the SEC’s Division of Corporation Finance issued a guidance document regarding public companies’ disclosure obligations relating to cybersecurity risks and breaches.  The guidance responds to a request by Sen. Jay Rockefeller that the SEC clarify its position on this increasingly important issue.

The Division noted that as companies have turned to digital technologies to conduct their operations, cybersecurity risks–and incidents–have increased.  Although there is no disclosure requirement under the federal securities laws that specifically addresses cybersecurity, the Division explained that existing regulations may require disclosure of cyber risk assessments and the costs stemming from incidents.  It is important to note, as the Division does, that this is guidance, not a rule, regulation, or order (as some headlines have suggested).

We provide an overview of the guidance after the jump.  For additional information please see this E-Alert prepared by members of our Global Privacy & Data Security and Securities & Corporate Finance practice groups.


Continue Reading SEC’s Division of Corporation Finance Issues Guidance on Disclosing Cybersecurity Risks

On April 7, 2011, the Securities and Exchange Commission announced a total of $55,000 in fines against three former executives of a securities broker-dealer for violations of the privacy and safeguard rules in Regulation S-P.  The fines mark the first time the SEC has imposed administrative fines for violations of these rules.  Copies of the