Tag: SEC
Federal Court Dismisses Bulk of SEC’s Complaint Against SolarWinds in Cyberattack Case
On July 18, 2024, US District Judge Paul Engelmayer of the Southern District of New York issued a detailed 107-page opinion and order dismissing most of the US Securities and Exchange Commission (SEC) case against SolarWinds and its chief information security officer (CISO). The SEC’s amended complaint alleged that SolarWinds and its […]
SEC Reporting Implications for Publicly Traded Companies Impacted by CrowdStrike Defective Software Update
There are a number of US Securities and Exchange Commission (SEC) reporting implications arising from the server-related outages caused by CrowdStrike’s defective software update on July 19, 2024, and their impacts on public companies, particularly in light of the SEC’s new cybersecurity disclosure rules. While the situation on the ground […]
SEC Settles Charges Against RR Donnelley Related to Cybersecurity Incident Disclosure and Internal Access Controls
On June 18, 2024, the Securities and Exchange Commission (SEC) announced that it had settled claims against RR Donnelley (RRD) related to a 2021 ransomware and cyber extortion attack. Despite RRD having discovered and reported the incident within 30 days (a relatively short time frame for investigating complex data breaches), […]
Fatal Flaws in SEC’s Amended Complaint Against SolarWinds
In March 2024, a coalition of more than 50 cybersecurity leaders and organizations called for dismissal of an amended complaint by the Securities and Exchange Commission (SEC) against SolarWinds and its chief information security officer (CISO), Tim Brown. Amici from the business community and the software industry, as well as […]
Fatal Flaws in SEC’s Amended Complaint Against SolarWinds
In March 2024, a coalition of more than 50 cybersecurity leaders and organizations called for dismissal of an amended complaint by the Securities and Exchange Commission (SEC) against SolarWinds and its chief information security officer (CISO), Tim Brown. Amici from the business community and the software industry, as well as […]
CISA Opens Notice and Comment Process on CIRCIA Draft Regulations
On March 27, 2024, the Cybersecurity and Infrastructure Security Agency (CISA) within the Department of Homeland Security published a long-awaited notice of proposed rulemaking (NPRM) pursuant to the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). Signed into law in 2022 by President Joe Biden, CIRCIA required CISA to […]
Key Considerations for Form 8-K Cybersecurity Materiality Determinations
With 8-K reporting obligations for “material” cybersecurity incidents under the new Securities and Exchange Commission (SEC) rules becoming effective as of December 18, 2023, most companies will soon be tasked with making “real-time” materiality determinations following a cybersecurity incident. While the SEC has emphasized that the new Item 1.05 reporting […]
SEC Adopts Comprehensive Cybersecurity Disclosure Requirements
On July 26, 2023, the Securities and Exchange Commission (SEC) voted at an open meeting to adopt final rules to mandate standardized cybersecurity disclosures by public companies. The final rules will: The final rules will become effective 30 days after publication in the Federal Register. Companies other than smaller reporting companies […]
SEC Enforcement Targets Cybersecurity Disclosures Again
Securities and Exchange Commission Chairman Gary Gensler has pledged to bring a renewed focus to robust enforcement of the federal securities laws. As we observed in a recent blog post, under Chairman Gensler and Director Gurbir Grewal, the SEC’s Division of Enforcement will be more aggressive in several arenas—including public company […]
SEC Poised to Ramp up Cybersecurity Enforcement
On October 16, 2018, the Securities and Exchange Commission (SEC) issued an investigative report signaling its intent to use sections 13(b)(2)(B)(i) and (iii) of the Securities Exchange Act of 1934 (the “Exchange Act”) to pursue enforcement actions against public companies that fail to tailor their internal controls to evolving cyber […]