January 7, 2020

Ransomware: The Cyber Attack That Companies Refuse to Call by Name

With all the emphasis on increased candor in disclosures about cybersecurity in recent years, it’s a little surprising that, according to this recent ProPublica report, there’s one type of cyber breach that companies are unwilling to call by its name – specifically, a ransomware attack.  Here’s an excerpt:

Each year, millions of ransomware attacks paralyze computer systems of businesses, medical offices, government agencies and individuals. But they pose a particular dilemma for publicly traded companies, which are regulated by the SEC. Because attacks cost money, affect operations and expose cybersecurity vulnerabilities, they sometimes meet the definition used by the SEC of a “material” event — one that a “reasonable person” would consider important to an investment decision. Material events must be reported in public filings, and failure to do so could spur SEC action or a shareholder lawsuit.

Yet some companies worry that acknowledging a ransomware attack could land them on the front page, alarm investors and drive down their share price. As a result, although many companies cite ransomware in filings as a risk, they often don’t report attacks or describe them in vague terms, according to experts in securities law and cybersecurity.

The report points out that ransomware attacks are often featured in risk factor disclosure, but many companies victimized by these attacks seem to take the position that they aren’t material because customer data hasn’t been compromised.

There may be an argument for that position, but companies that consider adopting it should take a hard look at the language of their risk factor disclosure about ransomware. As Facebook found out last year, while it’s prudent to warn about risks that haven’t happened, disclosure that suggests an event is merely a risk when it has actually occurred may well be misleading.

Auditor Independence: U.K. Tightens Independence Rules

Oscar Wilde once said (well, sort of) that the U.S. and the U.K. are two peoples separated by a common language. Now, it looks like their regulators’ approach to auditor independence may be another area in which they differ. While the SEC recently proposed to loosen the reins on auditor independence, this FT article says that the U.K.’s Financial Reporting Council is taking the opposite approach. Here’s an excerpt:

UK regulators have banned audit firms from providing a number of advisory services to listed companies and financial institutions in an effort to strengthen auditor independence after a series of scandals. The Financial Reporting Council on Tuesday issued a “radical” update to its ethical standards for audit firms, which have been scrutinised over poor audits and possible conflicts of interest in the wake of corporate collapses such as at Carillion, BHS and Thomas Cook.

The regulator banned accounting firms from providing all recruitment and remuneration services and due diligence from the public interest entities they audit — mostly listed companies, banks and insurers. It also prohibited them from giving tax advice, advocacy and acting in any management role.

In fairness, some of these services are already prohibited under U.S. independence rules, but it certainly suggests a more skeptical regulatory climate when it comes to independence issues than the one that’s currently prevailing here.

CEO Leadership: Don’t Hate Me Because I’m Beautiful

A recent study says that I’m putting a real crimp in my wife’s chances to succeed as a CEO.  How come?  Not to brag, but it’s my smokin’ hotness that counts against her.  If that’s not bad enough, it turns out that – here’s a shock – it works the other way for men.  Here’s an excerpt from the study’s abstract:

Study 1 found that while partner’s attractiveness enhanced the perceived leadership of male CEOs, female CEOs’ leadership was downgraded in the presence of an attractive partner. Study 2 validated that the leadership penalty for female CEOs increased when they were seen with more attractive males than with less attractive males.

I suppose that some of you may take issue with my view of myself as a “trophy husband.” Well, I can assure you that despite my strong resemblance to The Addams Family’s Uncle Fester, I radiate an inner beauty – or at least that’s what my mother says.

John Jenkins