Posts Tagged ‘disclosure’
Qualitatively Material Cyber Incidents
Today I want to revisit the new SEC rules for disclosing material cybersecurity incidents, and in particular those qualitatively material incidents that might seem especially tricky to assess and prevent. What internal controls become more important for that type of threat? This is on my mind because we’re already starting to see some companies disclose…
Read MoreSolarWinds, Part III: ‘Following’ the NIST Framework
Today we return to the lawsuit the Securities and Exchange Commission has filed against SolarWinds, the IT services firm that suffered a disastrous cyber attack in 2020. How much does SolarWinds’ compliance with the NIST framework for cybersecurity — or its lack thereof — figure into this risk management morass? Quite a lot, at least…
Read MoreA Deep Dive Into SEC’s SolarWinds Lawsuit
Heads up, compliance and internal audit professionals! The Securities and Exchange Commission just filed a potentially profound lawsuit against the tech company SolarWinds and its CISO for misleading investors about the state of that company’s cybersecurity defenses — defenses that were proven toothless during a cybersecurity breach in 2020. The lawsuit, filed Monday against SolarWinds…
Read MoreAn Update on SOX Compliance Issues
Earlier this week I attended a webinar hosted by KPMG about the current state of Sarbanes-Oxley compliance, since 2023 is coming toward a close and audit professionals need to start thinking about the SOX compliance season that will start up early next year. We have lots to go through here. For starters, SOX compliance does…
Read MoreA Look at Actual Cyber Disclosures
Today I want to return to cybersecurity disclosures. Before we even get to the Securities and Exchange Commission’s new rule for expanded disclosure of cybersecurity issues, perhaps we should pause to consider: what have companies already been disclosing about cyber incidents? After all, the most contentious part of the SEC’s new cyber disclosure rule is…
Read MoreUS Attorneys Adopt Self-Disclosure Policy
U.S. attorney offices across the country have published a new, uniform policy for voluntary self-disclosure for corporate misconduct. The policy is largely in line with what the brass at the Justice Department have been talking about for months, although compliance officers should give the new policy a read anyway to avoid any surprises. The policy…
Read MoreA 10-K Disclosure First: ‘Anti-ESG’
Congratulations to the Carlyle Group, which apparently is the first company ever to disclose in an SEC filing that conservatives’ displeasure with corporate ESG efforts is a material risk to corporate performance. Carlyle, a publicly traded investment company with more than $370 billion in assets under management, included “anti-ESG sentiment” as a risk factor in…
Read MoreAttestations for Cyber Controls
Last week I was in Atlanta speaking to a group of IT auditors. Conversation turned to the SEC’s proposals for expanded disclosure of cybersecurity risks, and attendees raised a good question: Does this mean that CISOs and other executives will need to attest that, yes, the company’s cybersecurity measures are effective? Under the text of…
Read MoreSEC Proposes Climate Risk Disclosure Rule
The Securities and Exchange Commission today unveiled its long-awaited proposal for disclosure of risks related to climate change, including disclosure of greenhouse gas emissions stemming from a company’s supply chain as well as audit and attestation requirements for larger companies’ disclosures. The SEC adopted the proposed rule on a 3-1 vote, with lone Republican commissioner…
Read MoreSEC Proposes Cyber Disclosure Rules
The Securities and Exchange Commission has proposed new rules that would require all public companies to disclose much more about how they manage cybersecurity risks and to disclose “material cybersecurity incidents” to investors promptly. The commission voted to propose the new rules on Wednesday morning — and to be clear, these are proposed new rules,…
Read More