The assessment of a corporation’s cyber risks is part of a board of directors’ general risk oversight responsibilities. Since lawsuits, including class actions, are often commenced soon after a data breach, directors and officers should now consider that the board’s oversight of cyber risks may also be closely and thoroughly scrutinized in future litigation and regulatory investigations.
On October 20, 2014, a New Jersey Court dismissed a shareholder derivative suit that sought damages notably from the directors and officers of Wyndham Worldwide Corp. (“WWC”) for several data breaches. This decision is the first decision issued … Continue Reading
In a few short days it will be Cyber Monday, the kickoff to the financial madness that is the holiday shopping season. For cybercriminals and fraudsters, December represents the mother lode of hackable data.
How big is the risk?
The malevolently-inclined are getting more ambitious (a 2014 study by the Ponemon Institute that evaluated security-breach costs in the retail sector suggests that average size of a breach is about 30,000 records) and more damaging (average loss is now about $105 per stolen record). The same study estimated that the average cost of a cybercrime for the retailer is about $3.15-million. … Continue Reading
In light of the increasing rate of security breaches in industry and government, the US Securities and Exchange Commission (SEC) has issued guidelines encouraging public companies to disclose cyberattacks waged against them. The guidelines apply to both domestic US companies and foreign private issuers, and may therefore apply to Canadian companies registered in the US.
What types of disclosure are required?
A company is obligated to disclose material information relating to risks (e.g., a security system failure) and incidents (e.g., a security breach) if necessary to avoid misleading investors in light of other required disclosures.
When is disclosure required?
In … Continue Reading