Earlier this year, the National Association of Corporate Directors released an updated version of its Director’s Handbook on Cyber-Risk Oversight. The NACD’s issuance of an update to its Handbook in just three years signals that cybersecurity-related governance expectations of companies and directors are evolving. While the use of and compliance with the Handbook is not mandatory, the Handbook is influential in shaping governance practices and thus it is prudent for those involved in corporate governance to familiarize themselves with the changes.
On October 13 the Division of Corporate Finance at the US Securities and Exchange Commission issued a Disclosure Guidance that for the first time advises registrants — public companies — to evaluate their cybersecurity risks and, if deemed material, to disclose such risks to investors. This Guidance is likely to lead to public companies performing formal and detailed assessments of the cybersecurity risks, and may lead to shareholder litigation following data security breaches with claims that a company failed to perform the assessment and disclose the risks recommended in the Guidance for complaince with securities disclosure laws.
The Securities and Exchange Commission (SEC) announced yesterday that three former executives of GunnAllen Financial, Inc., a Tampa-based broker-dealer, agreed to settle charges that they had violated Regulation S-P by failing to protect confidential information about their customers. This action marked the first time that the SEC had assessed financial penalties against individuals charged solely with violations of Regulation S-P, which requires broker-dealers, investment advisers, and other financial institutions under the SEC’s jurisdiction to protect their customers’ nonpublic personal information and to provide their customers the right to opt out of having their information shared with unaffiliated third parties.