The SEC sent a clear reminder to public companies grappling with cyber-attacks that information concerning cyber vulnerabilities and remediation needs to be shared and considered by those responsible for public disclosures. In particular, the SEC alleged that senior executives responsible for making public statements about a specific cyber vulnerability were not told that security personnel had identified the vulnerability several months earlier, but had failed to remediate it in accordance with the company’s policies. The SEC commenced and settled an enforcement action imposing a fine of approximately $500,000, and finding that the public company failed to maintain disclosure controls and procedures designed to ensure that all available, relevant information concerning the vulnerabilities was analyzed for disclosure in the company’s public statements. Please take the time to ensure that your public company is including relevant cyber-related information as part of its disclosure control process.
"Unbeknownst to these senior executives, the company’s information security personnel had been aware of the vulnerability for months and the company’s information technology personnel did not remediate it, leaving millions of document images exposed to potential unauthorized access for months."