SEC Cybersecurity Guidelines: Insights into the Utility Risk Factor Disclosures for Investors
Edward A. Morse, Vasant Raval, and John R. Wingender, Jr., 73(1): 1-34 (Winter 2017/2018)
In October 2011, the SEC issued new guidelines for disclosure of cybersecurity risks. Some firms responded to these guidelines by issuing new risk factor disclosures. This article examines the guidelines and cybersecurity disclosures in the context of existing laws governing securities regulation. It then examines empirical results from firm disclosures following the new guidelines. Evidence shows a relatively small proportion of firms chose to modify their risk factor disclosures, with most firms choosing not to disclose any specific cybersecurity risk. Moreover, disclosing firms generally experienced significant negative stock market price effects on account of making new disclosures. Rather than viewing disclosure as a positive signal of management attentiveness, investors apparently viewed it as a cautionary sign.
Protection of Client Confidential Information from Cyberattacks Is a Compelling Business and Ethical Priority for Inside and Outside Corporate Counsel
E. Norman Veasey; 75(1): 1495-1518 (Winter 2019-2020)
Criminal cyberattacks are increasingly rampant. The criminals who launch these attacks target law firms and businesses mercilessly—around the clock. In-house and external counsel have an urgent responsibility not only to understand the perils that these attacks present to law firms and corporate law departments but also to take defensive action.