SEC Charges Issuer With Cybersecurity Disclosure Controls Failures

The SEC sent a clear reminder to public companies grappling with cyber-attacks that information concerning cyber vulnerabilities and remediation needs to be shared and considered by those responsible for public disclosures. In particular, the SEC alleged that senior executives responsible for making public statements about a specific cyber vulnerability were not told that security personnel had identified the vulnerability several months earlier, but had failed to remediate it in accordance with the company’s policies. The SEC commenced and settled an enforcement action imposing a fine of approximately $500,000, and finding that the public company failed to maintain disclosure controls and procedures designed to ensure that all available, relevant information concerning the vulnerabilities was analyzed for disclosure in the company’s public statements. Please take the time to ensure that your public company is including relevant cyber-related information as part of its disclosure control process.