Proposed Rules On Cybersecurity Disclosure
Earlier this year, the SEC published proposed rules on cybersecurity risk management, strategy, governance and incident disclosure by public companies. Although the comment period has passed, a final rule has not yet been issued. As of now, cybersecurity disclosures are encompassed within the general anti-fraud provisions including the requirement to disclose “such further material information, if any, as may be necessary to make the required statements, in light of the circumstances under which they are made, not misleading” as well SEC guidance last updated in 2018 (see HERE).
The proposed amendments would require, among other things, current reporting about material cybersecurity incidents and updates about previously reported cybersecurity incidents. The proposal also would require periodic reporting about a company’s policies and procedures to identify and manage cybersecurity risks; the company’s board of directors’ oversight of cybersecurity risk; and management’s role and expertise in assessing and managing cybersecurity risk and implementing cybersecurity policies and procedures. The proposal would further
Yahoo Hacking Scandal And Obligations Related To Cybersecurity
On September 26, 2016, Senator Mark R. Warner (D-VA), a member of the Senate Intelligence and Banking Committees and cofounder of the bipartisan Senate Cybersecurity Caucus, wrote a letter to the SEC requesting that they investigate whether Yahoo, Inc., fulfilled its disclosure obligations under the federal securities laws related to a security breach that affected more than 500 million accounts. Senator Warner also requested that the SEC re-examine its guidance and requirements related to the disclosure of cybersecurity matters in general.
The letter was precipitated by a September 22, 2016, 8-K and press release issued by Yahoo disclosing the theft of certain user account information that occurred in late 2014. The press release referred to a “recent investigation” confirming the theft of user account information associated with at least 500 million accounts that was stolen in late 2014. Just 13 days prior to the 8-K and press release, on September 9, 2016, Yahoo filed a preliminary 14A filing with