-
Undeterred By Recent Court Loss, SEC Charges Four Companies With Inadequate Cyber Disclosures In The Aftermath Of SolarWinds Breach
10/29/2024
On October 22, 2024, the SEC announced that it had entered into settlements with four separate companies for making allegedly misleading disclosures about how they were impacted by the SolarWinds data breach in 2019. The SEC’s approach to the SolarWinds data breach has already been recognized as very aggressive, and these actions, which elicited a pointed dissent from two Commissioners, will only further the debate. The companies at issue were each charged with violations of Sections 17(a)(2) and 17(a)(3) of the Securities Act and Section 13(a) of the Exchange Act, and certain rules thereunder, and, without admitting or denying liability, agreed to pay civil monetary penalties ranging from $990,000 to $4 million.
-
Judge Dismisses Most Of SEC’s Suit Against An IT Management Software Company Over Cybersecurity Disclosures
07/23/2024
On July 18, 2024, U.S. District Judge Paul Engelmayer of the U.S. District Court for the Southern District of New York issued a comprehensive 107-page opinion that may have significant implications for the Securities and Exchange Commission’s (“SEC”) enforcement strategy for alleged disclosure and accounting and disclosure controls violations by public companies and their executives. In particular, the decision may affect the Enforcement Division’s efforts to extend the application of existing requirements for public companies to maintain a system of internal controls over financial reporting to cover situations that are not directly related to financial reporting or accounting matters.
-
SEC Commissioner’s Dissent Highlights Challenges In Responding To Whistleblowers
04/19/2022
On Tuesday, April 12, the U.S. Securities and Exchange Commission (SEC) fined David Hansen, the former Chief Information Officer of NS8, Inc., a Las Vegas-based fraud detection and prevention software firm, approximately $100,000 for interfering with an employee’s ability to communicate with the SEC in violation of Rule 21F-17(a). The SEC alleged that Hansen violated the rule by restricting the employee’s access to NS8’s IT systems and monitoring his use of corporate computer systems following the employee providing a tip to the SEC about NS8’s corporate practices. In dissent, SEC Commissioner Hester Peirce said that the application of Rule 21F-17(a) was inappropriate in this case, arguing that restricting the tipster’s access to IT systems and monitoring their use did not impede their ability to communicate with the SEC and was a reasonable step in preventing unauthorized disclosure of NS8’s data to private parties and the media.