SEC Cybersecurity Disclosure Guidance ConcernsBy
The new U.S. Securities & Exchange Commission (SEC) guidance on disclosure of cybersecurity risks is drawing criticism. That guidance, issued in March 2018, replaces an earlier version issued in 2011.
The new version was issued by the SEC, not the SEC’s Division of Corporation Finance as was the case in 2011, giving the new guidance a higher profile. It also is more explicit in some areas—for example, underlining the importance of disclosure explaining how a company’s board of directors is overseeing cybersecurity risks at the company. The typical route for disclosure is the filing of a Form 8-K. Cybersecurity attacks must be reported when they’re material.
But Rep. Stephen Lynch (R.-Mass.) voiced concern to William Hinman, the new director of the Division of Corporation Finance, at a hearing on April 26, 2018, in the House subcommittee on Capital Markets, Securities, and Investment. Lynch noted that only 3% of the 82 major cybersecurity attacks on public companies in 2017 were reported on Forms 8-K. He told Hinman that the problem is the definition of materiality. He stated that the new guidance doesn’t fix the problem, although he also said he isn’t sure a legislative solution is warranted.
Hinman acknowledged that deciding whether an attack is material can be difficult with corporate lawyers loath to make a disclosure for fear of the impact on the company. He added that his division’s review of corporate disclosures on the issue of cybersecurity is “an item of priority.” Backing up that assertion was the SEC announcement on April 26, 2018, that Altaba, the entity formerly known as Yahoo! Inc., agreed to pay a $35 million penalty to settle charges that it misled investors by failing to disclose one of the world’s largest data breaches in which hackers stole personal data relating to hundreds of millions of user accounts.
Forced Arbitration Clauses a No-Go in IPO Registrations
A letter from SEC Chairman Jay Clayton to congressional Democrats appears to put to rest, at least for the moment, speculation that the SEC is considering changing the Exchange Act provision that prohibits companies from requiring investors to commit to not filing securities fraud cases in federal courts. William Hinman, director of the Division of Corporation Finance, confirmed at the House hearings on April 26, 2018, that the SEC is “not actively looking at” allowing companies to include forced arbitration clauses in registration documents they file in conjunction with IPOs.
Penalty paid by Altaba Inc. to settle charges it misled investors by failing to disclose a cybersecurity breach
Source: U.S. Securities & Exchange Commission, http://bit.ly/2Mi0rlP