Instructive for all companies, the SEC charged a real estate services company for violating Rule 13a-15(a) of the Securities Exchange Act of 1934 by failing to maintain adequate disclosure controls and procedures (DC&P) in connection with a cybersecurity vulnerability disclosure. The lack of sufficient DC&P reportedly resulted in the company’s making an uninformed public disclosure based on information in possession of the company’s information security personnel that did not make its way in a timely manner to senior management responsible for the company’s public disclosures.
See the SEC’s release; Cooley’s post; and additional resources on our Cybersecurity/Data Privacy, Financial Reporting, SEC Enforcement, and Disclosure Committees pages. Join the Disclosure Committee session at the Society’s National Conference: “New Era of Governance” where you will hear from your peers on common and best practices for disclosure committees to support cybersecurity and other non-financial (as well as financial) disclosures.
This post first appeared in the weekly Society Alert!