April 24, 2014

Cybersecurity: “Heartbleed” as a Risk Factor?

As noted by this WSJ blog by James DeGraw and Lisa Rachlin of Ropes & Gray, companies have been pounded by the latest widespread cybersecurity threat – “Heartbleed,” which is a fundamental flaw of OpenSSL – a popular, widely-used tool for encrypting Internet communications. Doing a quick search on Edgar, I can find no SEC filing that includes the term “Heartbleed.” Perhaps it’s a little early and eventually there might will be some risk factors and other disclosures.

I tend to think that, unless a company had a particular “cyber incident” – to use the SEC’s parlance – related specifically to the Heartbleed OpenSSL flaw, a risk factors disclosure in this area might be more generalized. For example, it might describe risks inherent in relying for cyber risk mitigation on third party or open source software that might contain undetected flaws (i.e. Heartbleed).

Corp Fin’s guidance in this area – CF Disclosure Guidance: Topic 2 (Cybersecurity) – notes that “cyber incidents can result from … unintentional events,” which might include prolonged exposure from security flaws such as Heartbleed, which remained undetected by companies for years. The guidance also notes that cybersecurity risk disclosure must adequately describe the nature of material risks, which might include “risks related to cyber incidents that may remain undetected for an extended period.”

The bottom line is that – unfortunately – securities lawyers will need to learn more about security breaches and cybersecurity threats as they have been a routine part of our daily life with no end in sight. Learn more in our “Security Breaches” Practice Area

Here’s an Akin Gump’s blog on Congressional hearings on Target and other breaches as well as the SEC’s cybersecurity roundtable (and here’s some memos on the roundtable – and my sober reenactment video).

Mauri Osheroff Retires! Nearly the Last of a Generation

Sad to hear that long-time Associate Director Mauri Osheroff has retired after 40 years of service. Her many accomplishments are documented in this press release. Mauri is one of the last of a generation that led the Division from an era of no computers to a future that no one could imagine. A kind and well-informed soul, she will be missed. I remember first meeting Mauri in 1987 when I was an intern in Corp Fin and she was serving as Deputy Chief Counsel and came in to do a training session. She knew so much even back then!

Will Regulation A+ Make the Grade? Explanation of Comments Received by the SEC

NASAA and others are up in arms about the state preemption controversy brought on by the SEC’s Regulation A+ proposal. Check out this 24-page memo by McGuireWoods that parses the comment letters received by the SEC so far. Here’s NASAA’s comment letter

– Broc Romanek