SEC Takes Aim at Cybersecurity Disclosures
In February of this year, the Securities Exchange Commission issued its updated Statement and Guidance on Public Company Cybersecurity Disclosures. In April, the SEC issued an Order that, among other things, levied a $35 million fine against Yahoo! Inc. for failing to properly report a 2014 data breach. These actions support the view that the SEC is consciously committing attention and resources to cybersecurity issues affecting public companies.
Here are some key takeaways from both the Guidance and from the Yahoo! Order:
Obviously, the SEC has its eye on the cybersecurity ball, and coordination among the Board, CEO, CFO, COO, and CIO/CTO/CISO/DPO is more important than ever in ensuring compliance with myriad disclosure requirements. Even for companies outside of industries directly subject to data security/privacy laws, regulations, and standards—e.g., healthcare (HIPAA), financial services (GLBA), retailers (PCI DSS and FTC Section 5)—efforts must be made to ensure that appropriate disclosure controls and procedures are adopted and implemented to avoid regulatory scrutiny and penalties.
- Apples and Pears, Beers and Confusion
- Cloud Outsource Directive and Guidance Note Issued by the South African Reserve Bank
- Cybercrime Legislation on South Africa’s Horizon: Is Your Organisation Ready?
- Eavesdropping: The Privacy Myth
WSG Member: Please login to add your comment.