Posts Tagged ‘disclosure’
SEC Advice on Ransomware Disclosure
The Securities and Exchange Commission has published fresh advice about when companies need to disclose a ransomware incident to investors, warning that companies will need to perform materiality assessments and be prepared to disclose the attack even if the attack is small and the company returns to normal operations quickly. The agency released five compliance…
Read MoreExample of Cyber Disclosure Challenges
Radical Compliance is back from vacation, and what better way to catch up on current compliance issues than an enforcement action over poor cybersecurity? Lucky for us, the Securities and Exchange Commission served up a fresh case just last week on exactly that headache. The case involves R.R. Donnelley, provider of business marketing services to…
Read MoreStating Your Ethical AI Principles
Today we have another chapter in our ongoing series about artificial intelligence, and how companies can take a more compliance-aware approach to integrating AI into their operations. This time around I want to look at what the companies themselves are disclosing to the public. The idea came to me as I was researching my previous…
Read MoreQualitatively Material Cyber Incidents
Today I want to revisit the new SEC rules for disclosing material cybersecurity incidents, and in particular those qualitatively material incidents that might seem especially tricky to assess and prevent. What internal controls become more important for that type of threat? This is on my mind because we’re already starting to see some companies disclose…
Read MoreSolarWinds, Part III: ‘Following’ the NIST Framework
Today we return to the lawsuit the Securities and Exchange Commission has filed against SolarWinds, the IT services firm that suffered a disastrous cyber attack in 2020. How much does SolarWinds’ compliance with the NIST framework for cybersecurity — or its lack thereof — figure into this risk management morass? Quite a lot, at least…
Read MoreA Deep Dive Into SEC’s SolarWinds Lawsuit
Heads up, compliance and internal audit professionals! The Securities and Exchange Commission just filed a potentially profound lawsuit against the tech company SolarWinds and its CISO for misleading investors about the state of that company’s cybersecurity defenses — defenses that were proven toothless during a cybersecurity breach in 2020. The lawsuit, filed Monday against SolarWinds…
Read MoreAn Update on SOX Compliance Issues
Earlier this week I attended a webinar hosted by KPMG about the current state of Sarbanes-Oxley compliance, since 2023 is coming toward a close and audit professionals need to start thinking about the SOX compliance season that will start up early next year. We have lots to go through here. For starters, SOX compliance does…
Read MoreA Look at Actual Cyber Disclosures
Today I want to return to cybersecurity disclosures. Before we even get to the Securities and Exchange Commission’s new rule for expanded disclosure of cybersecurity issues, perhaps we should pause to consider: what have companies already been disclosing about cyber incidents? After all, the most contentious part of the SEC’s new cyber disclosure rule is…
Read MoreUS Attorneys Adopt Self-Disclosure Policy
U.S. attorney offices across the country have published a new, uniform policy for voluntary self-disclosure for corporate misconduct. The policy is largely in line with what the brass at the Justice Department have been talking about for months, although compliance officers should give the new policy a read anyway to avoid any surprises. The policy…
Read MoreA 10-K Disclosure First: ‘Anti-ESG’
Congratulations to the Carlyle Group, which apparently is the first company ever to disclose in an SEC filing that conservatives’ displeasure with corporate ESG efforts is a material risk to corporate performance. Carlyle, a publicly traded investment company with more than $370 billion in assets under management, included “anti-ESG sentiment” as a risk factor in…
Read More