TheCorporateCounsel.net

Speaking of cybersecurity incidents, this Covington memo provides some guidance on how companies can minimize their own risk of running into trouble with the SEC on cybersecurity issues. One recommendation is that companies review and update their list of “crown jewel” information and technology assets:

The SEC’s SolarWinds complaint, along with commentary in the Rules’ adopting release, make clear that companies are expected not only to identify their “crown jewels,” but to take appropriate action to protect them. Specifically, the SEC’s complaint faulted both SolarWinds and its CISO for not disclosing to the investing public known risks facing products and services that it had identified as among its “crown jewels.” Similarly, the Rules’ commentary suggests that if a cybersecurity incident impacts a company’s “crown jewels,” that information might be sufficient to make a materiality determination even before the company has “complete information” about the incident.

Consider identifying your organization’s “crown jewels” (or re-evaluating an existing list) to ensure the list is updated and not overly broad. Also consider prioritizing efforts to identify cybersecurity risks regarding crown jewels and the controls that protect them.

The SEC’s SolarWinds complaint also treated a company’s “crown jewels” as key assets and the company’s safeguards to protect against unauthorized access to those assets as part of the company’s internal accounting controls (which were alleged to be inadequate).

Other recommendations include updating cybersecurity risk governance disclosures in annual reports to ensure their accuracy, resolving documented cybersecurity “red flags” and providing training on best practices for internal documentation, assessing how existing incident response plans and disclosure control procedures should be integrated, and engaging in pre-incident testing of response procedures.

– John Jenkins