SEC underscores why cybersecurity whistleblower disclosures should be protected under SOX

As you know this Blog is intended to unite all compliance, risk and internal audit professionals around the world. Those of you who are familiar with U.S. law will know about SOX. In the following lines, I summarize a press article that reported why the Securities and Exchange Commission (SEC) considers that SOX does not cover the cybersecurity risks present in whistleblower channels (I will be incorporating the original article in a link at the end of the week).

SOX does not protect disclosures about information security vulnerabilities. However, that SOX protects whistleblowing about deficient information security controls, e.g., if misleading investors about a cyber-intrusion and for failing to maintain adequate disclosure controls and procedures suggests.

The SEC’s identifies three violations of securities law:

Sections 17(a)(2) and 17(a)(3) of the Securities Act, which make it unlawful for any person in the offer or sale of any securities by the use of any means or instruments of transportation or communication in interstate commerce or by use of the mails, directly or indirectly, to obtain money or property by means of any untrue statement of a material fact or any omission to state a material fact necessary in order to make the statements made, in light of the circumstances under which they were made, not misleading; or to engage in any transaction, practice, or course of business which operates or would operate as a fraud or deceit upon the purchaser;

Section 13(a) of the Exchange Act, which requires every foreign issuer of a security registered pursuant to Section 12 of the Exchange Act to furnish the Commission with periodic reports containing information that is accurate and not misleading; and

Rule 13a-15(a) of the Exchange Act, which requires every issuer to maintain disclosure controls and procedures designed to ensure that information required to be disclosed by an issuer in reports it files or furnishes is recorded, processed, summarized, and reported, within the time period specified in the SEC’s rules and forms.

Whistleblower disclosures about inadequate information security can also implicate the following SEC rules:

Item 503(c) of SEC Regulation S-K requires a corporation to disclose risk factors and discuss the most significant factors that make an offering speculative or risky. This includes the risk of cyber incidents if these issues are among the most significant factors that make an investment in the company speculative or risky;

SEC Rule 10b-5, which prohibits public disclosures that misstate or omit material facts in connection with the purchase or sale of any security; and

Section 404 of SOX, which requires a corporation to assess the effectiveness of its internal controls in its annual reports and identify material weaknesses in these internal controls, including information security controls.

Implications for Cybersecurity Whistleblowers

As inadequate cybersecurity and attempts to conceal data breaches harm shareholders at public companies, it is critical to protect cybersecurity whistleblowers against retaliation. 

If you liked this content, please like it and follow me! Also use the buttons below to share with your co-workers on social networks!

If you want to leave your opinion, remember that it is always positive and with respect. On the contrary, any aggressive opinion, conduct or expressions that go against respect, dignity, or constitute insults or slander will be blocked, and reported to the Authorities in accordance with the provisions of article 208 of the Spanish Penal Code. The crime of libel provides for a fine ranging from 3 to 14 months and for slander the penalty will be imprisonment from 6 months to 2 years or a fine from 6 to 24 months.

Deja una respuesta

Introduce tus datos o haz clic en un icono para iniciar sesión:

Logo de

Estás comentando usando tu cuenta de Salir /  Cambiar )

Imagen de Twitter

Estás comentando usando tu cuenta de Twitter. Salir /  Cambiar )

Foto de Facebook

Estás comentando usando tu cuenta de Facebook. Salir /  Cambiar )

Conectando a %s

Subir ↑

A %d blogueros les gusta esto: