{"id":2055,"date":"2021-09-15T13:10:12","date_gmt":"2021-09-15T17:10:12","guid":{"rendered":"https:\/\/seci.wpenginepowered.com\/?p=2055"},"modified":"2021-09-15T13:10:12","modified_gmt":"2021-09-15T17:10:12","slug":"yet-another-cybersecurity-and-disclosure-controls-and-procedures-enforcement","status":"publish","type":"post","link":"https:\/\/seciblog.pli.edu\/index.php\/yet-another-cybersecurity-and-disclosure-controls-and-procedures-enforcement\/","title":{"rendered":"Yet Another Cybersecurity and Disclosure Controls and Procedures Enforcement"},"content":{"rendered":"

In this post from June 28, 2021<\/a>, we reviewed an SEC enforcement action focused on the relationship between cybersecurity risks and disclosure controls and procedures.\u00a0 This relationship was emphasized in the SEC\u2019s February 26, 2018 Release, Commission Statement and Guidance on Public Company Cybersecurity Disclosures<\/a>:<\/p>\n

\u201cCrucial to a public company\u2019s ability to make any required disclosure of cybersecurity risks and incidents in the appropriate timeframe are disclosure controls and procedures that provide an appropriate method of discerning the impact that such matters may have on the company and its business, financial condition, and results of operations, as well as a protocol to determine the potential materiality of such risks and incidents.\u201d<\/p>\n

On August 16, 2021, less than two months after the June case, the SEC announced<\/a> another cybersecurity-related enforcement involving failure to make appropriate disclosures about a breach and the related lack of necessary disclosure controls and procedures.<\/p>\n

You can read the details in this Press Release<\/a> and the related SEC Order<\/a>.\u00a0 According to the SEC the company, an educational publisher, learned in March 2019 that:<\/p>\n

\u00a0\u201c\u2026millions of rows of data stored on the AIMSweb 1.0 server had been accessed and downloaded by a sophisticated threat actor using an unpatched vulnerability on this server.\u201d<\/p>\n

Further, according to the SEC Order<\/a>, even though an actual breach had occurred, the company referred to the risk as hypothetical in its mid-year report:<\/p>\n

\u201cIn its July 26, 2019 report furnished to the Commission, (the company\u2019s) risk factor disclosure implied that (the company) faced the hypothetical risk that a \u201cdata privacy incident\u201d \u201ccould result in a major data privacy or confidentiality breach\u201d but did not disclose that (the company) had in fact already experienced such a data breach.\u201d<\/p>\n

According to the Press Release, in a July 2019 statement, released after the company had been contacted by the media about the breach, it indicated that \u201cthe breach may include dates of births and email addresses.\u201d\u00a0 When the company released this statement, it knew that this information had been breached.\u00a0In addition, the statement said the company had “strict protections” in place.\u00a0 In reality, it had failed to patch the critical vulnerability behind the breach for six months after a vendor notified it about the problem.<\/p>\n

The company\u2019s share price fell by 3.3% after this announcement.\u00a0 The SEC Order discusses various considerations in determining the materiality of the breach, including this statement in paragraph 11:<\/p>\n

\u201cThe breach at issue was material because (the company\u2019s) business, including but not limited to AIMSweb 1.0, involved collection and storage of large quantities of private data on school-age children around the world.\u201d<\/p>\n

Disclosure controls and procedures were directly addressed in this part of the SEC Order<\/a>:<\/p>\n

\u201c(The company\u2019s) processes and procedures around the drafting of its July 26, 2019 Form 6-K Risk Factor disclosures and its July 31, 2019 media statement failed to inform relevant personnel of certain information about the circumstances surrounding the breach. Although protecting student and user data is critical to (the company\u2019s) business, and (the company) had identified the potential for improper access to such data as a significant risk, it failed in this way to maintain disclosure controls and procedures designed to analyze or assess such incidents for potential disclosure in the company\u2019s filings.\u201d<\/p>\n

The message in this case is clear.\u00a0 Companies must assure that cybersecurity breaches are communicated in the disclosure process and carefully evaluated for materiality and disclosure to investors.<\/p>\n

As always, your thoughts and comments are welcome!<\/p>\n","protected":false},"excerpt":{"rendered":"

In this post from June 28, 2021, we reviewed an SEC enforcement action focused on the relationship between cybersecurity risks and disclosure controls and procedures.\u00a0 This relationship was emphasized in the SEC\u2019s February 26, 2018 Release, Commission Statement and Guidance on Public Company Cybersecurity Disclosures: \u201cCrucial to a public company\u2019s ability to make any required … Continue reading Yet Another Cybersecurity and Disclosure Controls and Procedures Enforcement<\/span> →<\/span><\/a><\/p>\n","protected":false},"author":9,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":true,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2},"_wpas_customize_per_network":false},"categories":[143,242],"tags":[],"coauthors":[154],"class_list":["post-2055","post","type-post","status-publish","format-standard","hentry","category-hot-topic","category-reporting"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"post_mailing_queue_ids":[],"_links":{"self":[{"href":"https:\/\/seciblog.pli.edu\/index.php\/wp-json\/wp\/v2\/posts\/2055","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/seciblog.pli.edu\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/seciblog.pli.edu\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/seciblog.pli.edu\/index.php\/wp-json\/wp\/v2\/users\/9"}],"replies":[{"embeddable":true,"href":"https:\/\/seciblog.pli.edu\/index.php\/wp-json\/wp\/v2\/comments?post=2055"}],"version-history":[{"count":0,"href":"https:\/\/seciblog.pli.edu\/index.php\/wp-json\/wp\/v2\/posts\/2055\/revisions"}],"wp:attachment":[{"href":"https:\/\/seciblog.pli.edu\/index.php\/wp-json\/wp\/v2\/media?parent=2055"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/seciblog.pli.edu\/index.php\/wp-json\/wp\/v2\/categories?post=2055"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/seciblog.pli.edu\/index.php\/wp-json\/wp\/v2\/tags?post=2055"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/seciblog.pli.edu\/index.php\/wp-json\/wp\/v2\/coauthors?post=2055"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}