Recently, the Securities and Exchange Commission (the “SEC”) announced a settlement with a registrant relating to the registrant’s failure to disclose the occurrence of a cyber breach. The breach occurred in 2014 and was disclosed in 2016. A later discovered breach that took place in 2013 was disclosed in 2017. The SEC noted that the company did not fully assess the impact of the breach on its business nor whether the disclosures in its public filings, which addressed potential breaches, were rendered misleading by virtue of the actual breach. The SEC did note that it would not second-guess judgments regarding disclosures made by registrant’s acting in good faith.
The settlement, taken together with statements made by representatives of the SEC regarding the importance of assessing cyber breaches and related risks, and the recent guidance from the SEC regarding cybersecurity disclosures, serve to emphasize, among other things, the importance of disclosure controls and procedures that take into account cyber disclosures.