Last week, Snap Inc. (“Snap” or the “Company”) – the parent company of the wildly popular app Snapchat (“Snapchat” or the “App”) – became a publicly traded company on the New York Stock Exchange in the biggest tech IPO since Alibaba in 2014.  Priced at $17 per share, the Snap stock opened at $24 per share on Thursday morning and closed at $24.48 per share, bringing the Company’s market capitalization to approximately $28 billion. In today’s post, we’re taking a closer look at Snap’s S-1 filing (“Snap S-1”) with the U.S. Securities and Exchange Commission (SEC) with a particular focus on the Company’s disclosures of risk factors associated with cybersecurity and privacy risks.  Continue Reading A Deep Dive into Privacy/Security Disclosures in Snap’s S-1

SECThe 2016 lists are starting to be released by regulatory agencies in the United States, giving a heads’ up to covered entities as to what compliance issues will take front and center this year.  Once again, the Office of Compliance Inspection (OCIE) of the US Securities & Exchange Commission (SEC) has put cybersecurity on the top of its examination priorities.  OCIE is responsible for conducting examinations of the entities required to be registered under various SEC regulations, including broker-dealers, transfer agents, investment advisers, and investment companies.

Continue Reading Cybersecurity Tops SEC Office of Compliance Inspections 2016 Examination Priorities

The SEC has announced a new round of cybersecurity inspections at broker-dealer and registered investment advisory firms.  If that’s not enough to catch your attention, just days after issuing the Risk Alert, the SEC censured and fined a St. Louis-based investment advisor for a failure to adopt written policies and procedures to ensure the confidentiality of personal information as required by law.   According to the SEC, that failure led to a breach of the personal information of 100,000 investors held by R.T. Jones Capital Equities Management and led to a $75,000 fine.

Register now for our upcoming webinar — Wednesday, September 30 at 1 pm ET where the latest Risk Alert and enforcement action, along with other important developments, will be discussed by Mintz Levin’s Steve Ganis and Peter Day.

Another Cop on the Cybersecurity Beat: What to Do Before and After the SEC and FINRA Come Knocking

This webinar, the eighth in our Privacy series, will address regulatory compliance and risk management aspects of cyber attacks and data breaches at financial institutions and their service providers. Cybersecurity is one of the most significant issues facing the financial services industry — and vendors to financial services customers. Consequences of cyber attacks and data breaches are more costly than ever, and now the SEC and FINRA are conducting cybersecurity examinations. Enforcement actions are likely to follow. Meanwhile, the “fintech” revolution is radically and dramatically transforming how securities, banking, and money services firms collect, retain, protect, and monetize financial consumer data. Join us for guidance on crafting effective cybersecurity programs and insights into areas of likely cybersecurity focus uniquely critical for broker-dealers, investment advisers, and investment companies — intermediary and vendor due diligence, risk assessment, identity theft prevention, Gramm-Leach-Bliley safeguarding of customer information, referral and aggregator arrangements, suspicious activity monitoring, material nonpublic information protection, and front running prevention.

 

As always, the webinar is eligible for New York and California CLE credit.

It’s back to school time – time to put away the flip flops and beach chairs and settle back into the routine.   To help motivate you, the Securities and Exchange Commission’s Office of Compliance Inspections and Examinations (OCIE) has announced a new round of cybersecurity examinations!   This comes on the heels of the SEC’s sweep exam of broker-dealers and registered investment advisers and the issuance of its February 2015 summary observations from that sweep.

Last month, our August webinar discussed third party vendor security management in a more general context, and how critical vendor management is to the overall cybersecurity health and resilience of your organization.  Over 500 people took a break on a beautiful August day to catch the webinar – if you missed it, click here to playback the webinar.

We had already planned our September topic — Another Cop on the Cybersecurity Beat: What to Do Before and After the SEC and FINRA Come Knocking —  but it is even more timely in light of last week’s OCIE announcement.

In this next round of OCIE examinations, the office will direct the testing at implementation of key controls and procedures, none of which will be surprising to regular readers of this blog.

  • Governance & Risk Assessment:  current processes tailored to the business with senior management and board involvement
  • Access Rights & Controls: controls across, within, and without the enterprise, including access tracking, credentialing, Bring Your Own Device (BYOD) and other issues
  • Data Loss Prevention:  patch management, system configuration, outbound communications, with special emphasis on personally identifiable information (PII)
  • Vendor Management:  (see last month’s Privacy webinar)
  • Training:  both employees and vendor
  • Incident Response Plans

 

The September Privacy Wednesday webinar, the eighth in our Privacy series, will address regulatory compliance and risk management aspects of cyber attacks and data breaches at financial institutions and their service providers (and specifically look at the OCIE standards and exam process). Cybersecurity is one of the most significant issues facing the financial services industry — and vendors to financial services customers. Consequences of cyber attacks and data breaches are more costly than ever, and now the SEC and FINRA are conducting cybersecurity examinations . Enforcement actions are likely to follow. Meanwhile, the “fintech” revolution is radically and dramatically transforming how securities, banking and money services firms collect, retain, protect and monetize financial consumer data. Join us for guidance on crafting effective cybersecurity programs and expert insights into areas of likely cybersecurity focus uniquely critical for broker-dealers, investment advisers, and investment companies — intermediary and vendor due diligence, risk assessment, identity theft prevention, Gramm-Leach-Bliley safeguarding of customer information, referral and aggregator arrangements, suspicious activity monitoring, material nonpublic information protection, and front running prevention.

Registration is open – here.  Join us!

 

…….Shareholder Proposals on Cybersecurity and Privacy: Another Country Heard From 

Written by Megan Gates

As the holiday season slips into the rear view mirror, another season looms large for public companies —- proxy season.  Adding to the ever-growing chorus of demands for increased transparency by public companies on cybersecurity and privacy matters, institutional shareholders have recently begun to contribute their own distinctive voices to the discussion. One powerful tool being deployed in this regard by institutional shareholders is the ability to require public companies to include certain shareholder proposals in proxy statements for shareholder meetings.   This right allows public company shareholders who jump through the procedural and substantive hoops created by Rule 14a-8 under the Securities Exchange Act of 1934, as amended, to air their concerns publicly and directly through the company’s own proxy statement, and to require that a vote be taken at the meeting on their proposals, alongside the company’s own proposals.  Continue Reading On the Third Day of Privacy, the Shareholders Gave to Me……

Written by Adam Veness

SEC Commissioner Luis Aguilar recently spoke at the New York Stock Exchange Conference “Cyber Risks and the Boardroom.”  In his speech, Commissioner Aguilar emphasized the importance of cybersecurity and how fast the need for cybersecurity has grown in such a short time period, pointing out that U.S. companies experienced a 42% increase between 2011 and 2012 in the number of successful cyber-attacks they incurred per week.  He cautioned,

 

“[B]oards that choose to ignore, or minimize, the importance of cybersecurity oversight responsibility, do so at their own peril.”

 

Commissioner Aguilar highlighted the broad duties that a board owes to the corporation.  He proffered that the board’s general role in corporate governance and overseeing risk management provides the foundation for a board’s role in addressing cybersecurity issues.  He acknowledged that boards are already responsible for overseeing the management of all types of risk, including credit risk, liquidity risk, and operational risk – and as a result there can be little doubt that cyber-risk also must be considered as part of a board’s overall risk oversight.

Continue Reading Calling All Boards of Directors: Four Recommendations from the SEC

Written by Adam Veness

After Target Corporation’s (NYSE: TGT) net earnings dropped 46% in its fourth quarter compared to the same period last year, Target finally answered the 441 million dollar question – To 8-K, or not to 8-K?  Target filed its much anticipated Current Report on Form 8-K on February 26th, just over two months after it discovered its massive data breach.

In its 9-page filing, Target included two introductory sentences relating to disclosure of the breach under Item 8.01 – Other Events:

During the fourth quarter of 2013, we experienced a data breach in which certain payment card and other guest information was stolen through unauthorized access to our network. Throughout the Risk Factors in this report, this incident is referred to as the ‘2013 data breach’.

Target then buried three new risk factors that directly discussed the breach apparently at random within a total of 18 new risk factors that covered a variety of topics ranging from natural disasters to income taxes.  Appearing in multiple risk factors throughout the 8-K were the following:

The data breach we experienced in 2013 has resulted in government inquiries and private litigation, and if our efforts to protect the security of personal information about our guests and team members are unsuccessful, future issues may result in additional costly government enforcement actions and private litigation and our sales and reputation could suffer.

A significant disruption in our computer systems and our inability to adequately maintain and update those systems could adversely affect our operations and our ability to maintain guest confidence.

We experienced a significant data security breach in the fourth quarter of fiscal 2013 and are not yet able to determine the full extent of its impact and the impact of government investigations and private litigation on our results of operations, which could be material.

An interesting and atypically relevant part of Target’s 8-K is the “Date of earliest event reported” on its 8-K cover page.  Although Target disclosed its fourth quarter 2013 breach under Item 8.01, Target still listed February 26, 2014 as the date of the earliest event reported, which is the date of the 8-K filing and corresponding press release disclosing Target’s financial results.  One can only imagine that this usually benign date on Target’s 8-K was deliberated over for hours by expensive securities lawyers, and that using the February earnings release date instead of the December breach date was nothing short of deliberate.  Likely one more subtle way to shift the market’s focus away from the two-month old data breach and instead bury the disclosure within a standard results of operations 8-K filing and 15 non-breach related risk factors.

To Target’s credit, its fourth quarter and fiscal year ended on February 1, 2014, and Target’s fourth quarter included the entirety of the period during and after the breach through February 1.  Keeping that in mind, Target may not have had a full picture of how the breach affected its earnings in the fourth quarter until it prepared its fourth quarter and year-end financial statements this month.  Maybe the relevant “Date of earliest event” was the date on which Target was able to fully appreciate the effects of the breach, which occurred on the day that it finalized and released its earnings on February 26.  But maybe not.

Whatever the case may be, Target’s long awaited 8-K filing is likely only a short teaser of the disclosure that should be included in Target’s upcoming Form 10-K filing.

Also on the subject of the Target breach, Retailing Today recently published a guest post by Cynthia Larose discussing the issues facing both retailers and card issuers.

 

Sing it with me now….. FIVE GOLDEN RULES!

Written by Adam Veness

As public companies prepare for the New Year and the start of yet another annual reporting season, it is the perfect time to reflect on our 2013 prediction that the SEC would require greater disclosure relating to cybersecurity risks and data breaches.  As predicted, the SEC has been quite busy.

Last March, we saw a wave of cybersecurity risk factor disclosure by the nation’s largest banks.  In April, we were fortunate enough to learn of the three major types of cybersecurity comments that the SEC had issued straight from the reindeer’s mouth.

Now, as we look back at 2013 and some of the comments that public companies have received, we have come up with five golden rules for avoiding cybersecurity coal in your SEC comment letter in 2014

GOLDEN RULE ONE:   EVALUATE – Before being able to properly disclose cybersecurity risk factors, public companies must first evaluate and assess their cybersecurity systems and procedures to better understand where they may be vulnerable to breaches.

GOLDEN RULE TWO:  DETERMINE – Once an evaluation is complete and public companies understand their cybersecurity weaknesses, they should then determine the potential risks associated with those weaknesses and the effect that a data breach could have on the business, including whether such a breach would likely be material (hint: the answer is probably yes).  Failure to adequately evaluate and determine the extent and likelihood of potential risks could trigger an SEC comment, like this one that Zlato, Inc. received in response to its Form S-1 filing:

“You state that access to your system by intruders or unauthorized users would be an ‘unlikely event.’ Given the risks associated with cybersecurity breaches, please consider revising. We refer you to the Division of Corporation Finance’s CF Disclosure Guidance Topic No. 2: Cybersecurity for additional guidance on this topic. Furthermore, tell us what consideration you gave to including risk factor disclosure.”  (emphasis added)

GOLDEN RULE THREE:  PLAN – In addition to knowing the risks of potential data breaches, public companies should have a plan for preventing cybersecurity risks and mitigating the effects of a potential breach.

GOLDEN RULE FOUR:  DISCLOSE – The first three golden rules will be ineffective in preventing SEC cybersecurity comments without taking the next step and actually disclosing in public filings the risks determined in the evaluation, and the scope of the plan.  If a tree falls in the forest, and no one is around to hear it……

GOLDEN RULE FIVE:  BE SPECIFIC – The fifth, and arguably most important golden rule in avoiding an SEC comment regarding cybersecurity is to be specific.  Omitting cybersecurity risk factor disclosure altogether might allow a company to sneak by in a filing or two without receiving an SEC comment.  Alternatively, including a cybersecurity risk factor that is vague or boilerplate invites the SEC to comment.  By disclosing the risk broadly and making general statements about cybersecurity breaches that a public company may have suffered, the disclosure flags the issue without adequately explaining the company-specific risks and the facts surrounding any actual prior breaches.  Part of being specific also means that cybersecurity risk factors should stand alone, and should not be only a piece of a broader risk factor.

State Street Corporation made the mistake of being overly vague in its Form 10-K disclosure.  As a result, it received the following comment from the SEC:

“We note that you disclose that you ‘continue to face increasing cyber security threats.’ Please tell us whether you have experienced any breaches, hacker attacks, unauthorized access and misuse, computer viruses and other cybersecurity risks and events in the past and, if so, what consideration you have given to disclosing such events in your risk factors. Please refer to the Division of Corporation Finance’s Disclosure Guidance Topic No. 2 at http://www.sec.gov/divisions/corpfin/guidance/cfguidance-topic2.htm for additional information.”

 

By following the five golden rules, public companies can minimize the likelihood of receiving an SEC comment concerning deficiencies in their cybersecurity disclosure, or potentially worse,  shareholder lawsuits in the event of a cybersecurity incident, the risks of which were not adequately disclosed..  As shown in the SEC comments cited above, it is also a good idea to read the SEC guidance and/or Mintz Levin’s overview of the guidance, to understand the foundation for cybersecurity risk factor disclosure.

 

 And so the chorus goes, 
 
Five Golden Rules
Two California laws (at least…)

 

 

We will be back on Monday with the Sixth Day of Privacy.

 

 

 

UPDATE: The Federal Trade Commission recently issued a revised guide on the Red Flags Identity Theft Rule, designed to help businesses comply with the requirements of the Rule. Our detailed Client Alert on the Final Red Flags Rule and compliance obligations issued by the SEC and CFTC can be found here.   Compliance with the Red Flags Rule for entities regulated by the FTC has been required since 2007.

The revised guide is a helpful tool for entities that are considering whether they are covered by the Rule as well as for covered entities as it:

  • • Provides a two-part analysis that businesses can use to determine if they are a “financial institution” or a “creditor” covered by the Rule,
  • • Contains an FAQ section that clarifies the definition of “creditor,” and
  • • Outlines a four-step compliance process for businesses under FTC jurisdiction.

You can find a copy of the guide here.

If you need assistance with your own Red Flags compliance program, or determining whether you are covered by the Rule, contact a Mintz Levin Privacy attorney.

 

 

UPDATE:   We have prepared a detailed Client Alert as a guide to getting started with these new Red Flag Rules and compliance obligations.   You can read it here.

 

It has been several years since the Federal Trade Commission’s Red Flag Rule took effect; and the banking regulators have had the Red Flag Interagency Guidance in place since 2007.   Finally, entities regulated by the Securities and Exchange Commission (SEC), such as broker-dealers and investment advisers, and entities regulated by the Commodity and Futures Trade Commission (CFTC), such as futures commodity merchants, commodity trading advisers and commodity pool operators will be required to join the party.

In announcing the adoption of the rule, new SEC Chair Mary Jo White said, “Current estimates are that about five percent of American adults fall victim to identity theft fraud each year.  It is a risk for everyone, and as technology continues to advance, the risks increase.”

Section 1088 of the Dodd-Frank Wall Street Reform and Consumer Protection Act shifted certain oversight functions under the Fair Credit Reporting Act from the Federal Trade Commission to the SEC and the CFTC for entities regulated by those agencies. Last year the agencies issued a joint proposal on the identity theft provision. The final rules are “substantially identical” to the proposal, said Norm Champ, director of the SEC’s Division of Investment Management.

Specifically, the rules require that covered entities set up programs that identify, detect, and respond to identity theft “red flags.”    Most of the SEC-regulated entities will not be surprised by these rules.  Dodd-Frank essentially transferred oversight of already-existing Fair Credit Reporting Act requirements from the FTC to the SEC and the CFTC.

SEC Commissioner Luis Aguilar, however, noted that certain investment advisers, including advisers to hedge funds and private equity funds, may not have identity theft programs in place and will have to pay “particular attention” to the rules. Such entities were not required to register with the SEC until last year pursuant to Dodd-Frank.

The joint rules will become effective 30 days after publication in the Federal Register, and firms will be required to come into compliance six months after that date.