Corporate Directors\u27 and Officers\u27 Cybersecurity Standard of Care: The Yahoo Data Breach

On September 22, 2016, Yahoo! Inc. ( Yahoo ) announced that a data breach and theft of information from over 500 million user accounts had taken place during 2014, marking the largest data breach ever at the time. The information stolen likely included names, birthdays, telephone numbers, email addresses, hashed passwords, and, in some cases, encrypted or unencrypted security questions and answers. Yahoo further disclosed its belief that the stolen data did not include unprotected passwords, payment card data, or bank account information. Just two months before Yahoo disclosed its 2014 data breach, it announced a proposed sale of the company\u27s core business to Verizon Communications. Then, during mid-December 2016, Yahoo announced that another 1 billion customer accounts had been compromised during 2013, a new record for largest data breach. Social media and electronic commerce websites face significant risk factors, and an acquirer may inherit cyber liability and vulnerabilities. The fact pattern in this announced acquisition raises a number of important corporate governance issues: whether Yahoo\u27s conduct leading up to the data breaches and its subsequent conduct constituted a breach of the duty to shareholders to provide security, the duty to monitor, the duty to disclose, or some combination thereof the impact on Verizon shareholders of the acquisition price renegotiation and Verizon\u27s assumption of post-closing cyber liabilities; and whether more drastic compensation clawbacks for key Yahoo executives would be appropriate. Cybersecurity remains a threat to all enterprises, and this Article contributes to the corporate governance literature, particularly as it applies to mergers and acquisitions and the management of cyber liability risk

Voluntary cybersecurity disclosure in the banking industry of Bangladesh: Does board composition matter?

Purpose - Cybersecurity disclosure (CSD) provides users with valuable information and significant insights about a firm’s susceptibility to cyber risk and its management. It is argued that the board of directors, with its oversight role, should be vigilant in managing cyber risk and disclosures. This study aims to measure the extent of CSD of the banking companies and examines the association between the characteristics of board composition (i.e., board size, board independence and gender diversity) and CSD. Design/methodology/approach – This study adopted automated content analysis to find out the extent of CSD in the listed commercial banks of an emerging country, Bangladesh, where CSD is voluntary. Further, multiple linear regression is applied to determine the relationship between board composition and CSD.Findings – The findings reveal an increasing trend of CSD over the sample period (2014-2020). The study confirms a significant positive relationship between board independence and CSD. The study also demonstrates that the higher presence of female directors on the board is associated with higher CSD. However, no consistently significant relationship is found between board size and CSD.Practical implications – The study provides an overall understanding of current trends of CSD in the Banking sector of a developing country. Regulators may use our findings to understand the current level of CSD and assess the need for issuing guidance in this regard. The association between board composition and CSD has implications both for banks when selecting board members and policymakers when establishing requirements concerning board composition under corporate governance guidelines.Originality - This is one of the very few studies in the context of an emerging economy where CSD is voluntary. The paper contributes to a narrow stream of research investigating CSD and its association with board composition. Notably, it contributes to understanding how board composition is associated with CSD in the banking industry, which is highly exposed to cyber risk

Securities Law: Overview and Contemporary Issues

This is not your grandfather’s SEC anymore. Rapid technological change has resulted in novel regulatory issues and challenges, as law and policy struggles to keep pace. The U.S. Securities and Exchange Commission (SEC) reports that “the U.S. capital markets are the deepest, most dynamic, and most liquid in the world. They also have evolved to become increasingly fast and extraordinarily complex. It is our job to be responsive and innovative in the face of significant market developments and trends.” With global markets increasingly interdependent and interconnected and, “as technological advancements and commercial developments have changed how our securities markets operate, our ability to remain an effective regulator requires us to continuously monitor the market environment and, as appropriate, adjust and modernize our expertise, rules, regulations, and oversight tools and activities.” The success or failure of our society, jobs of a global workplace, and the ability of families everywhere to feed, clothe, and house themselves depends on the success of the SEC in providing fair and open access to capital through efficient markets. Our paper proceeds in eight parts. First, we explain the genesis and role of the Securities and Exchange Commission (SEC). Second, the definition of and what exactly constitutes a “security” is provided. Third, the securities issuance process is discussed. Fourth, we focus our discussion on The Division of Enforcement. Fifth, we discuss corporate governance and the SEC. Sixth, we explore the difficult task of governing during times of rapid technological change. Seventh, we examine contemporary issues that face the Commission. And last, we conclude

Regulating Dynamic Risk in Changing Market Conditions

How successful are the SEC\u27s attempts to regulate dynamic risk in financial markets? Using mutual fund disclosure data from two financial shocks--the Puerto Rican debt crisis and COVID-19--this Article finds evidence that SEC open-ended regulations, like the obligation to disclose changing market conditions, are largely successful in capturing dynamic, future risk. Funds engage in widespread and, often, detailed disclosures for new risks--although these disclosures vary widely in specificity. But not all funds disclose new risks. This creates perverse incentives for funds to opt out of disclosure or downplay threats with boilerplate language when new risks are emerging. This Article recommends several SEC interventions to improve dynamic risk disclosures including empirically monitoring disclosures, issuing guidance when problematic variation is observed, and enforcing disclosure standards

Show-and-Tell or Hide-and-Seek? Examining Organizational Cybersecurity Incident Notifications

The growing frequency of cybersecurity incidents commonly requires organizations to notify customers of ongoing events. However, the content contained within these notifications varies widely, including differences in the level of detail, apportioning of blame, compensation, and corrective action. This study seeks to identify patterns contained within cybersecurity incident notifications by constructing a typology of organizational responses. Based on a detailed review of 465 global cybersecurity incidents that occurred during the first half of 2020, we obtained and qualitatively analyzed 187 customer notifications. Our results reveal three distinct organizational response types associated with the level of detail contained within the notification (full transparency, guarded, opacity), as well as three additional response types associated with the benefitting party (customer interest, balanced interest, company interest). This work extends past classifications of cybersecurity incident notifications and provides a template of possible notification approaches that could be adopted by organizations

Informed Trading and Cybersecurity Breaches

Cybersecurity has become a significant concern in corporate and commercial settings, and for good reason: a threatened or realized cybersecurity breach can materially affect firm value for capital investors. This paper explores whether market arbitrageurs appear systematically to exploit advance knowledge of such vulnerabilities. We make use of a novel data set tracking cybersecurity breach announcements among public companies to study trading patterns in the derivatives market preceding the announcement of a breach. Using a matched sample of unaffected control firms, we find significant trading abnormalities for hacked targets, measured in terms of both open interest and volume. Our results are robust to several alternative matching techniques, as well as to both cross-sectional and longitudinal identification strategies. All told, our findings appear strongly consistent with the proposition that arbitrageurs can and do obtain early notice of impending breach disclosures, and that they are able to profit from such information. Normatively, we argue that the efficiency implications of cybersecurity trading are distinct – and generally more concerning – than those posed by garden-variety information trading within securities markets. Notwithstanding these idiosyncratic concerns, however, both securities fraud and computer fraud in their current form appear poorly adapted to address such concerns, and both would require nontrivial re-imagining to meet the challenge (even approximately)