Tag Archives: Cybersecurity

Faulty Cybersecurity Disclosures and a Big Fine

Here is an issue to focus on as we draw to the end of the second quarter and plan our periodic reporting.

Rarely does a month pass without dramatic news stories about cybersecurity breaches.  Targets include large companies such as Equifax, not-for-profits such as hospitals and even government agencies like the SEC.

Earlier this year the SEC augmented their 2011 cybersecurity disclosure guidance in CorpFin Disclosure Topic Twowith a formal Commission Release.  As we blogged,the Release in large part reinforced the Disclosure Topic Two guidance and added guidance about control and insider trading issues.

When the SEC issues new guidance one of the ways they sometimes emphasize its importance is with an enforcement case.  And, that has happened here.  Altaba, Inc, which was formerly Yahoo, has been fined $35 million for failure to make timely and accurate disclosures about their major cybersecurity breach. As you may have read, there was a significant delay in disclosure of the breach on the part of Altaba (Yahoo), and the enforcement release highlights several other disclosure issues surrounding the breach, including the fact that Yahoo’s disclosure controls and procedures were not effective.  Here is a quote from Jina Choi, the San Francisco Regional Office Director:

“Yahoo’s failure to have controls and procedures in place to assess its cyber-disclosure obligations ended up leaving its investors totally in the dark about a massive data breach.  Public companies should have controls and procedures in place to properly evaluate cyber incidents and disclose material information to investors.”

You can read details here.

As always, your thoughts and comments are welcome!

Some Cybersecurity Risk-Management Support

Cybersecurity Risk continues to be a huge and problematic issue. Processes and tools to respond to Cybersecurity incidents are constantly evolving. To help you keep up to date with these issues our “Cybersecurity 2016: Managing Cybersecurity Incidents” program will be offered on September 20 live in NY and via webcast.


Topics to be addressed will include:


Overview of the cyber insurance market and what to look for when purchasing

Cybersecurity provisions to include in vendor and business partner agreements

Managing a forensic investigation

Threat landscape: how can companies protect themselves?

Cybersecurity Act of 2015 and its ramifications for the private sector, plus SEC activity

EU developments on breach notification in the GDPR and NIS Directive


The program will also include these special features:


Cyberattack simulation

Hacker’s perspective: what are they seeking?

CISO and Regulators panel: strategies for global companies and guidance on sharing information with the government


You can learn more here.


As always, your thoughts and comments are welcome!

Cybersecurity’s “Evilution”

In our tech involved world the risk of cyber attack is constantly transmogrifying into ever more complex and evil modes. From phishing to ransomware to who knows what next, this risk is constantly changing.


To help you keep up-to-date with regulatory issues concerning this risk and to help make appropriate disclosures PLI is presenting a new One-Hour Briefing: Cybersecurity in the Age Of Regulators Gone Wild


You can read all about the briefing at:





As always, your thoughts and comments are welcome!


10-K Tip Number Seven for 2016 – Cybersecurity


Is there a hotter disclosure topic than cybersecurity in the SEC reporting world right now? That of course is why we included it as a hot topic on our 2016 Form 10-K Tune-Up (Which is now available on-demand with CLE and CPE credit at:

www.pli.edu/Content/OnDemand/Second_Annual_Form_10_K_Tune_Up/_/N-4nZ1z116ku?fromsearch=false&ID=278540   )


As perhaps the most important cybersecurity 10-K drafting reminder, don’t forget to review Corp Fin Disclosure Guidance Topic 2 as you draft and review. The Disclosure Guidance Topic is at:



And, for some examples and other thoughts, we have done a number of posts in our blog about cybersecurity. You can review them at:

Cybersecurity – What the what??



Comment of the Week Cybersecurity Risks Galore



Cybersecurity – The Continuing Saga




Cybersecurity – Help Managing the Risk




As always, your thoughts and comments are welcome!



Cybersecurity – Help Managing the Risk

Cybersecurity risk continues to be in the news. The nature and severity of cybersecurity breaches seem to grow in severity and complexity. Both preventive and remedial cybersecurity related costs are continually increasing in our business environment. Fortunately, the tools available to manage cybersecurity risk also continue to evolve. The magnitude of this risk is so large that some companies view cybersecurity breaches all but inevitable!

In this changing world we are presenting a cybersecurity focused conference in September. The conference is titled “Cybersecurity 2015: Managing the Risk”. You can learn more about the program, which will be webcast, and review the agenda at:


As always, your thoughts and comments are appreciated!

Cybersecurity – What the what??

After all the chaos and drama surrounding the most recent cybersecurity hack at Sony, the focus on this area has become even more intense.

Clearly, the first priority is doing whatever is possible to manage cybersecurity risk. Action steps must depend on each company’s specific situation, and there is no one-size-fits-all solution. To help in this regard PLI is presenting a One Hour Briefing on February 18, 2015 titled “ Cyber Security After Sony: Practice Points and Risk Mitigation Strategies”. You can learn more about the program at:


We also have archived the webcast of our one-day program on managing cybersecurity at:


From a disclosure perspective, the issues and the high public profile of the Sony hack raise the question whether cybersecurity risk should be disclosed in more detail or depth in upcoming filings. As a reminder, the SEC’s current guidance for cybersecurity risk disclosures is in CorpFin Disclosure Guidance Topic 2 at:


A point to remember for now, which is brought out in the Disclosure Guidance Topic, is this area may not be just a risk factor disclosure. Depending on the nature of the cybersecurity risk your company faces and cybersecurity issues you have encountered, disclosure in:

The business section
Legal proceedings
MD& A, and
The financial statements

may be necessary.

As always, we welcome your thoughts and feedback!