A Memo on Cyber Materiality

SolarWinds

So there I was the other day, pondering that new Securities and Exchange Commission rule for expanded disclosure of cybersecurity issues, when my phone rang. It was my friend the cybersecurity auditor. “Hey,” he said, “I have an idea for how companies can prepare for that new rule about disclosing cybersecurity stuff.”  I was intrigued.…

Read More

SEC Warns on Risk Assessments

risk assessments

The top accountant at the Securities and Exchange Commission is warning auditors and corporations alike to do better at risk assessments, and in particular to pay more attention to small control failures that might be suggestive of larger issues in a company’s control environment. Chief accountant Paul Munter released his statement Friday afternoon, a maneuver…

Read More

SEC Adopts Cyber Disclosure Rule

disclosure

As expected, the Securities and Exchange Commission adopted new rules today requiring publicly traded companies to make more disclosures about the cyber risks they have and the specific cyber attacks they suffer.  The final rules are largely in step with what the SEC first proposed last year: annual discussion of cyber risks in the company’s…

Read More

SEC to Vote on New Cyber Rules

SolarWinds

The Securities and Exchange Commission will, at long last, vote next Wednesday on new rules that would require companies to make expansive new disclosures about their cybersecurity risks and the cyber incidents they suffer. The SEC originally proposed the rules in March 2022 — and they have been a sleeper issue in SEC rulemaking while…

Read More

Here Come the Clawback Clauses

clawbacks

The Securities and Exchange Commission enacted a rule today that will require public companies to adopt and disclose executive compensation clawback policies, echoing the Justice Department’s effort to make companies exercise clawbacks more often when their executives commit misconduct. The rule directs U.S. stock exchanges to update their listing standards so that listed companies are…

Read More

SEC to Auditors: Do Better on Fraud Risk

fraud

The Securities and Exchange Commission is urging auditors to do better at assessing fraud risk among their clients — a rather notable statement peppered with keywords such as “gatekeepers” and “protection of investors,” clearly intended to warn audit firms that the agency wants to see improvement here. The statement came on Tuesday from Paul Munter,…

Read More

Lessons in the HanesBrands Cyber Attack

Before we all forget, compliance and audit professionals should note that HanesBrands coughed up an ugly quarterly report last week — and one principal reason for that awful report was a ransomware attack that apparently cost HanesBrands $100 million in lost revenue.  The ransomware attack itself is not news; Hanes disclosed the matter on May…

Read More

Attestations for Cyber Controls

Last week I was in Atlanta speaking to a group of IT auditors. Conversation turned to the SEC’s proposals for expanded disclosure of cybersecurity risks, and attendees raised a good question: Does this mean that CISOs and other executives will need to attest that, yes, the company’s cybersecurity measures are effective? Under the text of…

Read More

Comments on SEC Cyber Proposal

enforcement

We continue our focus on cybersecurity compliance today with a return to the SEC’s proposals for expanded disclosure of cybersecurity risk in corporate reports. The public comment period for those proposals closed last week, and compliance officers have a bundle of interesting points to ponder. The SEC received dozens of comments, and to no surprise…

Read More

Proposed Greenhouse Gas Disclosures

carbon offsets

Today let’s return to the SEC’s proposed requirement that companies disclose their climate risks, and specifically the greenhouse gas emissions that arise from a company’s operations and supply chain. Tracking and reporting such information could be quite difficult — so what’s the rationale here, and how might companies get started to fulfill such a  requirement?…

Read More