|
David Lynn
Partner, Washington
Morrison & Foerster
|
|
Tony Rodriguez
Partner, San Francisco
Morrison & Foerster
|
It seems scarcely a week goes by without a headline blaring news of a major cybersecurity breach. And with ongoing revelations about the data-tracking activities of the National Security Agency, the public isn’t growing less concerned about privacy. So it’s no surprise Congress has pressed the Securities and Exchange Commission on cybersecurity.
What does that mean for corporate disclosures? “The SEC continues to hear from Congress on cybersecurity disclosures, so it will continue to focus on the issue,” says David Lynn, a partner in Morrison & Foerster’s Washington office and co-chair of its Corporate Finance Practice. “That means companies need to be vigilant about their disclosures.”
The SEC last issued guidance on cybersecurity disclosures in 2011. Since then it has issued several dozen comment letters to companies that experienced a cybersecurity issue and failed to disclose it entirely to the SEC’s liking. Even if the agency doesn’t revisit its current guidance on cybersecurity disclosures, “[SEC Chair] Mary Jo White has told Congress the issue is important to the SEC,” says Tony Rodriguez, a partner in Morrison & Foerster’s san Francisco office whose experience includes representations in SEC matters.
The continuing SEC scrutiny also raises concerns about potential litigation. “While we haven’t necessarily seen an increase in cybersecurity cases, if a company is called out by a regulator on their disclosures, it could encourage plaintiffs to take legal action,” Rodriguez observes.
What should companies do? Besides taking appropriate steps to protect data from cyberattacks and remediate breaches that do occur, make sure you have a robust process in place to communicate potential problems to corporate leaders. “Executives responsible for disclosures need to become aware of cybersecurity issues promptly so they can make appropriate disclosure decisions,” Lynn advises.
Finally, approach disclosures in a thoughtful way and let the facts speak for themselves. Describe cybersecurity issues in an accurate, complete manner so as to minimize the possibility for SEC comments and potential litigation.
“Just because the last SEC guidance was issued in 2011 doesn’t mean the issue has gone away,” Lynn concludes. “Cybersecurity breaches will continue to happen to organizations across the board. So be vigilant about your disclosures.”
David Lynn
Partner, Washington
Morrison & Foerster
David Lynn, a partner in the Washington D.C. office of Morrison & Foerster, is co-chair of the firm’s Corporate Finance practice. He counsels clients on securities law compliance, corporate governance, executive compensation, and disclosure best practices. T
he former chief counsel of the Division of Corporation Finance at the Securities and Exchange Commission, Mr. Lynn is a leading authority on SEC issues and a recognized expert on the Jumpstart Our Business Startups (JOBS) Act of 2012.
|
Tony Rodriguez
Partner, San Francisco
Morrison & Foerster
Tony Rodriguez represents corporations, board committees and individual directors, and corporate officers in class action and derivative litigation, SEC matters, and internal investigations. He defends companies in antitrust and unfair competition claims, and represents major companies in litigation arising from Internet trademark use and other IT-related matters.
He co-chairs the Derivative Suits Subcommittee of the American Bar Association’s Securities Litigation Committee.
|
|
