Uncovering the Risks: How Recent SEC Actions Highlight the Peril of Inadequate Cybersecurity Programs
Introducing some highlights to the SEC Cybersecurity Disclosure Rules. The new rule makes it unlawful to “make any untrue statement of a material fact, or to omit a state of material fact”. What does this mean?
Material fact.
A fact that a reasonable person would recognize as relevant to a decision to be made, as distinguished from an insignificant, trivial, or unimportant detail. In other words, it is a fact, the suppression of which would reasonably result in a different decision.
Failure to disclose or withheld material fact, like supporting a weak or non-existent cybersecurity program would operate as a fraud or deceit upon any Person.
New regulation already leading to fines.
As of 30th November 2023 the following companies were fined for not implementing a security program:
Blackbaud ($3M – making misleading disclosures about a 2020 ransomware attack)
Yahoo ($35M – failing to disclose a large data breach)
First American Financial Corp – ($487,616 – failed to maintain disclosure controls and procedures designed to identify vulnerabilities)
Pearson – ($1M – failure to patch vulnerabilities, no procedures, and misleading statements)
Your clients absolutely need, and many don’t currently have an easy to implement plan and solution.
Our security program management solution.
At The ComplianceAide we have an AI driven compliance platform that implements these steps and delivers compliance to the SEC rule. For further information visit www.thecomplianceaide.com and book a 15-minute consultation to see how we can help.