T-Mobile announced in a Form 8-K last month that it had suffered a cybersecurity breach that could present “significant,” yet probably not material, costs to the company. The disclosure included a swath of information — including details on the types of files accessed by bad actors, where hackers probably got into T-Mobile’s systems and a… Continue reading Though ‘Inconsistent,’ Cyber Breach Disclosures Pack in a Range of Details
Tag: Cybersecurity
Cyber Expertise Needs Vetting as Boards Seek Crucial Skill
In recent years, search firms have been flooded by requests for director candidates with cybersecurity backgrounds as boards seek to leverage this expertise when responding to rising cyber risks. …Over the past five years, companies in both the Russell 3000 and S&P 500 have seen the number of directors boasting cybersecurity expertise climb by the… Continue reading Cyber Expertise Needs Vetting as Boards Seek Crucial Skill
Cyber Risk a Moving Target as Boards Weigh Insurance Options
The recent surge in cybersecurity and ransomware attacks has spurred many boards to ask management to take a second look at the cybersecurity protections that they have in place, specifically insurance coverage in the event of an attack with cascading impacts on partners and third parties. Recent estimates show that the global cyber insurance market… Continue reading Cyber Risk a Moving Target as Boards Weigh Insurance Options
‘Hacktivism’ Draws Criminals from Ransomware, but Risk Still High
The war between Russia and Ukraine has drawn some cybercriminals away from monetarily driven cyberattacks — such as the typical ransomware attack — and toward hacktivism. Despite that, the number of ransomware attacks is still expected to grow this year, according to a leading cybersecurity company. Directors shouldn’t take some hackers’ new focus as a… Continue reading ‘Hacktivism’ Draws Criminals from Ransomware, but Risk Still High
The CIO, CISO, Materiality And SEC Cybersecurity Risk Factor Disclosures
For the first time in 30 years, the SEC has updated its risk factor disclosure guidance under Regulation S-K (Reg S-K).
One of the foundational updates replaces the requirement for issuers to disclose the “most significant” risk factors with “material” risk factors. That’s a significant shift in the SEC’s principles-based approach to risk factor disclosure that has implications for cybersecurity-focused risk factors and their disclosure.
Registrants should begin reviewing their risk factor disclosure now to prepare for the final rules going into effect for the 4th quarter 2020 Form 10-Q filing and the fiscal year 2020 10-K annual filing.
This DDN Insight is Part 1 of a series focused on what CIOs and CISOs need to understand about cybersecurity risk factor disclosures relative to this change and other trends. But first, some background.
Corporate Boards Face Cyber Test as COVID Forces Meetings Online
Corporate boards forced to move meetings online during the coronavirus pandemic are trying to guard against cyberattacks with secure communication platforms and instructions for members on notetaking and eavesdropping.
Boards are gravitating to platforms such as Cisco Systems Inc.’s Webex, LogMeIn Inc.’s GoToMeeting, and Microsoft Corp.’s Teams, according to directors and consultants. Nasdaq Inc. has added 2,000 customers over the past few months for its board platform that offers secure messaging and presentation aids, the company said.
The move has forced corporate leaders, often better at networking in-person than virtually, to burnish their technology skills. “Everybody’s online now, including the board,” said Bob Zukis, CEO and founder of the Digital Directors Network, which advocates for corporate governing bodies to add technology experts to their ranks.
Boards are building security into online meetings because the items they discuss, like layoffs and government loans, make them attractive targets for hackers. That’s driving demand for digital portals such as Nasdaq’s and one from Diligent Corp., which offer secure means for discussions and document sharing compared with more-easily-compromised apps.
Cyber Disclosures Raise Flurry of New Concerns
The largest companies are gradually telling investors more about the pains they’re taking to protect their own information as well as customers’ privacy. Yet some industries are reporting those efforts better than others, according to new studies.
A growing number of firms have fallen into step with last year’s guidance from the Securities and Exchange Commission to disclose their cyber-security risks and what management and the board are doing to address them. For instance, according to a report from the EY Center for Board Matters, more than half of Fortune 100 companies reported in 2019 proxy statements and annual reports that they sought to recruit new board members with cyber skills versus only 40% the year before.
Also, more companies have decided to place oversight of cyber risk in non-audit committees. It was 28% of the Fortune 100 this year compared to 21% in 2018. (Please see chart at the bottom.)
A Tale of Two Scandals: Wells Fargo and Equifax
Wells Fargo and Equifax each suffered embarrassing corporate disasters in the recent past. Yet the companies are at much different points in their recoveries, say legal, governance and management observers. That makes them interesting studies in how boards oversee — or fail to oversee — crises and turnarounds.
The three-year cleanup of Wells Fargo’s management and compliance problems still looks far from complete. CEO Tim Sloan — who was appointed to clean up the mess following Wells’s fake-accounts scandal — suddenly resigned in March, and the interim chief is clearly a placeholder. The company faced angry protestors at its annual meeting last month after years of scandal.
By contrast, the transformation strategy at Equifax appears to be close to a denouement. That began with the almost immediate removal of former CEO Richard Smith, who presided over the credit-reporting company’s widely publicized data breach.