The last few months have seen a flurry of new federal cybersecurity incident reporting requirements and proposals impacting private entities in the financial sector. As the number and frequency of cyber attacks continue to grow, regulators have attempted to enhance cybersecurity protections via increased and more rigid incident reporting obligations, leading to a constantly shifting
Securities and Exchange Commission (SEC)
Webinar — Ballard Partner Phil Yannella to Join Discussion of New Proposed SEC Cyber Rules for Investment Advisors
Since the beginning of the year, the SEC has issued several sets of proposed rules governing cybersecurity. In an upcoming webinar, Ballard Privacy & Data Security partner Phil Yannella will join a panel discussion hosted by SEI Investments concerning the impact of these new rules on registered investment advisors and funds. You can register…
New SEC Proposed Cyber Rules Signal Concern About Systemic Risk
After many years of signaling potential expansion of cybersecurity rules, the Securities and Exchange Commission (SEC) has issued in the past month two new sets of proposed rules governing cybersecurity. The more recent set of proposed rules governs the disclosure of unscheduled material cyber events by public companies. These rules come on the heels of…
SEC Proposes New Disclosure Rules for Cyber Incidents
On March 9, 2022, the SEC proposed a new rule to enhance and standardize disclosures regarding cybersecurity incidents, risk management, strategy, and governance. If approved, public companies subject to the reporting requirements of the Securities and Exchange Act of 1934 will be subject to new disclosure requirements regarding (1) Cybersecurity Incidents, and (2) Cybersecurity Risk Management, Strategy, and Governance.
Continue Reading SEC Proposes New Disclosure Rules for Cyber Incidents

Some Thoughts on the Year in Privacy and Data Security Law
As we turn the page on 2018, let’s reflect on some of the key privacy and cybersecurity issues that will continue to occupy our hearts and minds in 2019.
Owning the Mega-Breach
2018 was the year in which data breaches in mergers and acquisitions became the iceberg in full view. This fuller realization of cyber risk in transactions, though, actually has its origin in September 2016 – when Yahoo and Marriott were in the midst of deals that would involve some of the largest data breaches on record.
Continue Reading Some Thoughts on the Year in Privacy and Data Security Law
Listen to Our Webinar on “The SEC’s Special Report on Business Email Compromises: What It Means and What You Should Do”
On November 13, 2018, Ballard Spahr lawyers presented a webinar on the SEC’s recent “Report of Investigation” into “business email compromises” affecting public companies.
As noted in our prior blog post, the Report was prompted by the SEC’s investigation into whether nine public companies violated U.S. securities laws “by failing to have sufficient accounting controls” to prevent approximately $100 million in losses as a result of business email compromises targeting their personnel. The SEC investigated whether these companies violated Sections 13(b)(2)(B)(i) and (iii) of the Securities and Exchange Act of 1934. Although declining to pursue enforcement actions against the companies, the SEC emphasized its recent cybersecurity guidance, advising public companies that “[c]ybersecurity risk management policies and procedures are key elements of enterprise-wide risk management, including as it relates to compliance with federal securities laws.” (See our prior alert and blog post regarding the Interpretive Guidance).
Continue Reading Listen to Our Webinar on “The SEC’s Special Report on Business Email Compromises: What It Means and What You Should Do”

SEC Special Report: Rampant Business Email Compromises Require Reassessment of Internal Accounting Controls
The U.S. Securities and Exchange Commission (SEC) has joined the government chorus in sounding the alarm about the rapid rise in “business email compromises” that are victimizing organizations across industry sectors.
On October 16, 2018, the SEC released a “Report of Investigation” calling for public companies to reassess their internal accounting controls “in light of emerging risks, including risks arising from cyber-related frauds.” In particular, the report focuses on certain types of “business email compromises” (BEC), in which a bad actor uses spoofed or compromised email accounts to trick an organization’s personnel into effectuating wire transfers to financial accounts controlled by fraudsters.
Continue Reading SEC Special Report: Rampant Business Email Compromises Require Reassessment of Internal Accounting Controls
The Hacked & the Hacker-for-Hire: Lessons from the Yahoo Data Breaches (So Far)

The fallout from the Yahoo data breaches continues to illustrate how cyberattacks thrust companies into the competing roles of crime victim, regulatory enforcement target and civil litigant.
Yahoo, which is now known as Altaba, recently became the first public company to be fined ($35 million) by the Securities and Exchange Commission for filing statements that failed to disclose known data breaches. This is on top of the $80 million federal securities class action settlement that Yahoo reached in March 2018—the first of its kind based on a cyberattack. Shareholder derivative actions remain pending in state courts, and consumer data breach class actions have survived initial motions to dismiss and remain consolidated in California for pre-trial proceedings. At the other end of the spectrum, a federal judge has balked at the U.S. Department of Justice’s (DOJ) request that a hacker-for-hire indicted in the Yahoo attacks be sentenced to eight years in prison for a digital crime spree that dates back to 2010.
Continue Reading The Hacked & the Hacker-for-Hire: Lessons from the Yahoo Data Breaches (So Far)

SEC Releases Guidance on Public Company Cybersecurity Disclosures
On February 21, 2018, the U.S. Securities and Exchange Commission approved the release of Interpretive Guidance relating to public company disclosures of cybersecurity risks and incidents. This guidance replaces staff guidance from the Division of Corporate Finance issued way back in October 2011 – on the same day that iPhone 4 was released.
Although the Commission voted unanimously to release it, some Commissioners do not view the new guidance as going much beyond the 2011 staff guidance. In fact, Commissioner Kara Stein wondered whether the new guidance would cause public companies to step up their cybersecurity disclosures – or “will law firms simply produce a host of client alerts reaffirming their alerts from years past.” We sense a challenge.
Continue Reading SEC Releases Guidance on Public Company Cybersecurity Disclosures
SEC Continues to List Cybersecurity Among OCIE Examination Priorities
The SEC Office of Compliance Inspections and Examinations (OCIE) has announced its 2018 examination priorities. Unsurprisingly, cybersecurity remains among the key priorities. OCIE has included cybersecurity as an examination topic since at least 2014.
OCIE released its 2018 priorities to “improve compliance, prevent fraud, monitor risk, and inform policy.” OCIE conducts the SEC’s National Exam Program (NEP), whose mission is to protect investors, ensure market integrity and support responsible capital formation through risk-focused strategies that: (1) improve compliance; (2) prevent fraud; (3) monitor risk; and (4) inform policy. The results of the NEP’s examinations are used by the SEC to inform rulemaking initiatives, identify and monitor risks, improve industry practices and pursue misconduct. OCIE is responsible for conducting examinations of broker-dealers, investment advisers, transfer agents, and other SEC-regulated entities.
Continue Reading SEC Continues to List Cybersecurity Among OCIE Examination Priorities