Posted on October 24, 2011 by Christopher Wolf

Invitation to Complimentary Webinar on SEC Cybersecurity Disclosure Guidance

On October 13th, the SEC's Division of Corporation Finance issued a Disclosure Guidance that urges public companies to evaluate their cybersecurity risks and, if material, to disclose those risks to investors.

On October 31st, Hogan Lovells will present a complimentary webinar exploring the impact of the Disclosure Guidance featuring senior lawyers in the Hogan Lovells Capital Markets and Privacy and Information Management practices, as well as a managing director of Stroz Friedberg LLC, a technology firm assisting clients with digital risks.

For more information, and to register, click here.

Since all businesses using the Internet are, to some degree, vulnerable to intrusions, what does the new guidance actually mean for public companies?  That question and these will be addressed in the webinar:

  • When does the risk of intrusion become material? 
  • What are the triggers for reporting?  
  • What assessments are required?  
  • Does every company suffering a data security breach have to report it to the SEC?   
  • What has to be reported?
  • How can the reporting company make public disclosure of cybersecurity risks in a way that will not make the company a target for attacks?
  • What is the best way for a company to wrap its arms around a cyberattack so it can make the appropriate disclosure?
  • What steps should a company take to insure its disclosure is a fair, accurate, and timely description of the attack? 

Readers of the Hogan Lovells Chronicle of Data Protection are invited to attend.

Tags: , , , ,
Posted on October 14, 2011 by Christopher Wolf

SEC Issues First-Ever Guidance on Disclosure to Investors of Cybersecurity Risks

Following a request in May 2011 from Senator Jay Rockefeller (D-WVA) to the Securities and Exchange Commission that the SEC advise public companies on when disclosure of cybersecurity risks to investors is mandated, on October 13 the Division of Corporate Finance at the SEC issued a Disclosure Guidance that for the first time advises registrants to evaluate their cybersecurity risks and, if deemed material, to disclose such risks to investors. The Guidance contained this caveat:

The statements in this CF Disclosure Guidance represent the views of the Division of Corporation Finance. This guidance is not a rule, regulation, or statement of the Securities and Exchange Commission. Further, the Commission has neither approved nor disapproved its content.

Still, companies that ignore the advice from the Division of Corporate Finance and fail to assess and disclose material cybersecurity risks do so at their peril -- risking regulatory and legal action.

In the introduction to the Guidance, the SEC Staff acknowledged that overly-specific descriptions of cybersecurity risks filed on the public record could serve as a road map to cybercriminals:

We are mindful of potential concerns that detailed disclosures could compromise cybersecurity efforts -- for example, by providing a “roadmap” for those who seek to infiltrate a registrant’s network security -- and we emphasize that disclosures of that nature are not required under the federal securities laws.

On when disclosure of cybersecurity risks should be disclosed in SEC filings, the Guidance states:

In determining whether risk factor disclosure is required, we expect registrants to evaluate their cybersecurity risks and take into account all available relevant information, including prior cyber incidents and the severity and frequency of those incidents. As part of this evaluation, registrants should consider the probability of cyber incidents occurring and the quantitative and qualitative magnitude of those risks, including the potential costs and other consequences resulting from misappropriation of assets or sensitive information, corruption of data or operational disruption. In evaluating whether risk factor disclosure should be provided, registrants should also consider the adequacy of preventative actions taken to reduce cybersecurity risks in the context of the industry in which they operate and risks to that security, including threatened attacks of which they are aware.

(emphasis supplied)

Thus, the Guidance plainly suggests that a risk assessment is necessary to make the determination on whether disclosure is called for.

In terms of what disclosure is called for, the Guidance states:

Depending on the registrant’s particular facts and circumstances, and to the extent material, appropriate disclosures may include:

  • Discussion of aspects of the registrant’s business or operations that give rise to material cybersecurity risks and the potential costs and consequences;

  • To the extent the registrant outsources functions that have material cybersecurity risks, description of those functions and how the registrant addresses those risks;

  • Description of cyber incidents experienced by the registrant that are individually, or in the aggregate, material, including a description of the costs and other consequences;

  • Risks related to cyber incidents that may remain undetected for an extended period; and

  • Description of relevant insurance coverage.

     

The Guidance also advises registrants to address cybersecurity risks and cyber incidents in their MD&A if

the costs or other consequences associated with one or more known incidents or the risk of potential incidents represent a material event, trend, or uncertainty that is reasonably likely to have a material effect on the registrant’s results of operations, liquidity, or financial condition or would cause reported financial information not to be necessarily indicative of future operating results or financial condition.

The SEC Staff gave as an example:

if material intellectual property is stolen in a cyber attack, and the effects of the theft are reasonably likely to be material, the registrant should describe the property that was stolen and the effect of the attack on its results of operations, liquidity, and financial condition and whether the attack would cause reported financial information not to be indicative of future operating results or financial condition.

This SEC Guidance is likely to result in public corporations engaging is a substantial and detailed assessment of their cybersecurity risks to determine if public disclosure is required, and may lead to a litigation trend of plaintiffs suing corporation following a data security breach, alleging that the risks of such a breach were not properly assessed or disclosed.

The issuance of the cybersecurity disclosure guidance also raises the possibility that the SEC's long-dormant proposed revisions to Reg. S-P under the Gramm-Leach-Bliley financial privacy law, that add specific data security steps for companies to follow, may be finalized -- as part of the Commission's effort to address the growing concerns about cybersecurity in corporate America.
Tags: , , , ,
Posted on April 8, 2011 by Michael Epshteyn

For First Time, SEC Imposes Fines Based Solely on Privacy Violations

The Securities and Exchange Commission (SEC) announced yesterday that three former executives of GunnAllen Financial, Inc., a Tampa-based broker-dealer, agreed to settle charges that they had violated Regulation S-P by failing to protect confidential information about their customers. This action marked the first time that the SEC had assessed financial penalties against individuals charged solely with violations of Regulation S-P, which requires broker-dealers, investment advisers, and other financial institutions under the SEC's jurisdiction to protect their customers' nonpublic personal information and to provide their customers the right to opt out of having their information shared with unaffiliated third parties. 

According to the SEC's orders, as GunnAllen was winding down its business operations last year, the firm's national sales manager, acting with the authorization of its president, transferred the names, addresses, account numbers, and asset values of more than 16,000 customers to a portable USB drive and provided those records to his new employer. The SEC determined that this transfer violated Regulation S-P because account holders were notified about it after the fact and not given reasonable notice and opportunity to opt out. The SEC also found that GunnAllen's former chief compliance officer failed to ensure that the firm's policies and procedures were reasonably designed to safeguard confidential customer information. According to the SEC, the policies and procedures were vague and simply recited the relevant portions of Regulation S-P verbatim, rather than specifying the security measures actually adopted by the firm. In addition, the compliance officer failed to revise or supplement the policies and procedures in response to several security breaches that occurred between 2005 and 2009. 

GunnAllen's president and national sales manager each agreed to a $20,000 fine, and the chief compliance officer agreed to a $15,000 fine. In addition, all three, without admitting wrongdoing, agreed to SEC censure. 

The SEC's announcement is available at the following link: http://www.sec.gov/news/press/2011/2011-86.htm
Tags: , , , , , , , ,
Posted on April 16, 2010 by Bret Cohen

Federal Regulators Release Customizable Version of Model Privacy Notice

Thanks to Elizabeth Khalil in the Hogan & Hartson privacy group for providing this report:

April 15 marked the release of the long-awaited customizable version of the Model Privacy Notice, a form that provides a safe harbor for compliance with the notice requirements of the Gramm-Leach-Bliley Act (GLBA).

The GLBA statute and the privacy rules issued thereunder by the above agencies impose obligations on “financial institutions” with regard to “nonpublic personal information.” Institutions subject to GLBA are required to provide initial and annual notices regarding their privacy policies to customers, and must allow their customers to opt out of having their nonpublic personal information shared in certain ways. Financial institutions are also required to provide the notice and opt-out opportunity to “consumers” who are not their customers before sharing their nonpublic personal information.

The customizable form, called the Online Form Builder, was issued jointly by the Board of Governors of the Federal Reserve System (FRB), Commodity Futures Trading Commission (CFTC), Federal Deposit Insurance Corporation (FDIC), Federal Trade Commission (FTC), National Credit Union Administration (NCUA), Office of the Comptroller of the Currency (OCC), Office of Thrift Supervision (OTS), and Securities and Exchange Commission (SEC). The agencies had first issued the Model Privacy Notice regulation on November 17, 2009, culminating a rulemaking process initiated more than six years earlier However, until April 15, no fillable PDF or other customizable version of the Model Privacy Notice was available. The Online Form Builder was developed by the FRB and is available on the FRB’s website.

The Online Form Builder allows a user to choose the version of the Model Privacy Notice that fits its particular information collection and sharing practices. To obtain the safe harbor, institutions must follow the instructions in the Model Privacy Notice regulation when using the Online Form Builder.

Tags: , , , , , , , , , , , ,