Unlike chess, everyone must continue playing after a cyber-attack
Abstract
Purpose
This paper aims to familiarize readers about the nature and extent of the risks that listed companies and their boards of directors face by not addressing their attention to insuring the cyber-security of their operations and not disclosing cyber-episodes and their impact on operations as suggested by the SEC's Division of Corporate Finance.
Design/methodology/approach
This article provides an overview of recent developments that led the SEC's Division of Corporate Finance to issue a non-binding guidance on cyber-security, along with an analysis of the importance of cyber-security in today's marketplace, those business sectors that already must comply with statutory and regulatory duties to safeguard private information, the applicable duties of directors under Delaware law, and an overview of the enforcement activities against companies that have experienced data breaches, as well as a discussion of private class actions that have sought damages claimed to have resulted from the negligence of companies and their boards to fulfill their duties to protect such information from being stolen due to inadequate systems and protective measures.
Findings
The SEC Division of Corporate Finance's voluntary disclosure guidance concerning cyber-security offers various, non-binding reasons for listed companies to report about cyber-events that may be material to a business operation or profitability. Listed companies and their boards face enforcement and private litigation risks in the event of a cyber-incident because of the heightened interest in cyber-security, the considerable costs likely incurred as a result of a cyber-event, and the duties they owe to exercise appropriate oversight in the face of known risks.
Originality/value
The paper provides practical explanation of developing issues by experienced corporate and litigation lawyers.
Keywords
Citation
Clark, M. and E. Harrell, C. (2013), "Unlike chess, everyone must continue playing after a cyber-attack", Journal of Investment Compliance, Vol. 14 No. 4, pp. 5-12. https://doi.org/10.1108/JOIC-10-2013-0034
Publisher
:Emerald Group Publishing Limited
Copyright © 2013, Emerald Group Publishing Limited