After a year of development, NIST has released the long-awaited Cybersecurity Framework, which promises to have significant implications for the public and private sectors alike. The final version retains much of the Framework Core set forth in its draft version and provides a blueprint to align cybersecurity efforts, along with the accompanying Roadmap document

As the latest 10-K filing period for corporations draws to a close, the Securities and Exchange Commission (SEC) is expected to intensify its scrutiny on whether companies’ filings adequately disclose both information security breaches that occurred in the past, and the material risks due to cyber threats such companies face in the future.  Since the Senate Commerce Committee focused greater attention upon corporate cybersecurity in a letter to the SEC on May 12, 2011, momentum has been building for expanded corporate disclosure of cybersecurity safeguards and security breaches.  In October 2011, the SEC issued guidance that publicly traded companies have a duty to disclose “material information regarding cybersecurity risks and cyber incidents” where failure to do so would make other disclosures misleading.  Recent developments both inside and outside the SEC show that corporations can expect an even brighter spotlight this year upon their cybersecurity efforts – and shortfalls.  Now more than ever, publicly traded companies need to be prepared to address, whether in responses to SEC comment letters or in preparing future filings, what material risks they may have due to cyber threats and whether they have taken steps to address such risks and vulnerabilities.

Recent Developments:

In its 2013 Examination Priorities, the SEC identified a number of “risk areas” attracting its focus, including enterprise risk management and companies’ “governance and supervision of information technology systems for topics such as operational capability, market access, and information security, including risks of system outages, and data integrity compromises that may adversely affect investor confidence.”  These Examination Priorities were published on February 21, 2013, one week after the President issued an Executive Order on improving critical infrastructure cybersecurity, and several days after the release of the Mandiant report, which tied the Chinese military to cyberattacks on over 140 U.S. and other foreign corporations and entities.
Continue Reading Putting the SEC Spotlight on Corporate Cyber Risks

After years of abortive attempts by Congress to enact comprehensive cybersecurity legislation, the President took matters into his own hands on February 12, signing an Executive Order, Improving Critical Infrastructure Cybersecurity.  Identifying the cyber threat as “one of the most serious national security challenges we must confront,” this Order, along with its contemporaneous Presidential

Since the emergence of cybersecurity and privacy as high risk issues in the public sector, the Government Accountability Office (GAO) has been at the forefront – identifying risks, reviewing progress of federal agencies, and keeping Congress informed on the latest developments in the cyber and technology arena.  In this role, GAO has reported on the

As a part of the Senate’s recent passage of the 2013 National Defense Authorization Act, Senator Carl Levin (D-MI) has introduced an amendment that would direct the Department of Defense to establish procedures requiring contractors with security clearances to make disclosures when their covered networks have been successfully breached. Amendment 3195 appears to be the

Congressman Langevin (RI-D) serves as one of the leading experts and thought-leaders on Capitol Hill on cybersecurity developments and initiatives. He is the Co-Founder and Co-Chair of the bipartisan House Cybersecurity Caucus and previously co-chaired the Center for Strategic and International Studies Commission on Cyber Security for the 44th Presidency, whose recommendations he is currently