Technical Disclosure Statements

Over-lawyering your firm’s vulnerability disclosure policy makes you less secure. Walter Haydock and I were chatting about something baffling. It’s almost 2025, but he still sees companies’ Terms and Conditions that say “attempting to probe, scan, or test” their tech for security vulnerabilities without authorization is prohibited. Why? Here’s our guess. Some Legal departments wouldn’t know a pentest from an nmap scan, so they’re making two mistakes. One, they’re copying each other’s boilerplate that equates running vulnerability scans, fuzzing, and other probing techniques with hacking. And two, they didn’t see the 2022 memo from the US Department of Justice. It said even accessing computer systems as part of good faith research does not violate the Computer Fraud and Abuse Act. This is not the grey area it used to be. Today, encouraging researchers to disclose security vulnerabilities on your tech is best practice. Which is why Tesla, Microsoft, and MAANG do it. Look at Apple’s OS and iOS updates. They credit researchers who helped make Apple products safer in this way. In fact, for all baselines in NIST SP 800-53, a public disclosure program is required (RA-5(11)). So it’s mandatory for any FedRAMP-tastic Cloud Service Offering used by the US federal government. Your assets are not so fragile that basic scans are threats. Probing like that is going to happen no matter what. Historically, we have responsible disclosure to thank for surfacing weaknesses and breaches at Capital One, Morgan Stanley, and Jeep. In the open-source community, a whistleblower told the Apache Software Foundation – and the world – about Log4j. What does a “responsible” disclosure program look like? 1. Have a written policy. Make it easy to find with a security.txt file and/or webpage. 2. Define the guardrails, and offer safe harbor to those who follow them. Maybe direct attention to certain domains while disallowing DDoS, social or reverse engineering, and clickjacking. 3. Establish a mechanism for receiving reports. Assign responsibility for triage. 4. Acknowledge submissions quickly. Set expectations about timelines and publication embargoes. 5. Communicate updates with the submitters. Ask questions if you’re skeptical or need help validating. 6. Fix important vulnerabilities on a risk-based timeline. Notify customers in advance if needed. 7. Give credit where it’s due via public release notes alongside patches. Many researchers welcome the prestige of a CVE on their resume. 8. Anything else? As for paying bug bounties, that’s a nice-to-have. Top tech firms offer it, but many SMBs can’t afford to. Just don’t YOLO-ship weak product, hoping the public will catch your mistakes in return for silence. Folks, if we can’t get responsible disclosure right for security vulnerabilities, we’re in for a world of pain with AI vulnerabilities. Disclaimer: Consult cyber-savvy attorneys instead of mistaking this or any LinkedIn post for legal advice.

The IFRS Foundation's educational material highlights the significance of disclosing anticipated financial effects under ISSB Standards (IFRS S1 and IFRS S2). Companies are required to articulate how sustainability-related risks, particularly those associated with climate change, influence their operations. These disclosures furnish investors with crucial insights for decision-making, complementing conventional financial statements and aligning with the TCFD framework. Central principles stress the importance of coherence with financial statements, averting redundancy, and integrating both quantitative and qualitative information. Quantitative disclosures may encompass specific amounts or ranges, while qualitative disclosures offer context in areas with notable measurement uncertainty. It is imperative for companies to delineate and disclose their time horizons, connecting these disclosures with strategies, decision-making processes, and climate-related metrics. To address implementation hurdles, ISSB Standards introduce proportionality mechanisms: - Utilizing all reasonable and supportable information available without undue cost or effort. - Customizing disclosures to a company's expertise, resources, and capabilities, with expectations for advancement over time. - Permitting exceptions for inseparable effects, high uncertainty, legal constraints, or commercially sensitive matters. Examples include risks like carbon pricing, floods, and water scarcity, as well as opportunities such as timber housing demand and e-waste recycling. ISSB disclosures strive to transparently associate sustainability impacts with financial outcomes, advocating for progressive, standardized, and investor-centric reporting. These endeavors contribute to a more enlightened investment environment and reinforce sustainable business practices.

SEC Cybersecurity Incident Disclosure Report Imagine a 60% rise in cyber incidents since new SEC rules. This report dives deep into 75 disclosures from 48 companies (December 2023 and October 2024). ↳ Key Insights: • Less than 10% described the material impact. • 78% disclosed within eight days, with 42% updating their Form 8-K. • One in four breaches were third-party incidents. • Threat actors used SEC rules as extortion tactics, even submitting whistleblower reports. ↳ Authors analyzed these disclosures, focusing on: • Information disclosed about Cybersecurity Incidents. • Methods of disclosure to the SEC. • Future compliance strategies. ↳ Key Findings: • 75% of incidents notified law enforcement. • 13% included press releases or blog references. • 42% filed multiple disclosures for the same incident. ↳ Timing of Disclosures: • 32% within four days of discovery. • 78% within eight days. ↳ Examples of Material Impact: • Bassett Furniture Industries: Business operations affected. • Sonic Automotive: Quarterly results impacted. • First American Financial: Fourth-quarter operations affected. ↳ Industries Affected: • Financial Services • Healthcare • Retail • Technology ↳ Recommendations: • Evaluate and test disclosure controls. • Prepare for SEC enforcement actions. ♻️ Repost this post to help your colleagues today 💬 Leave a comment with your experience ➕ Follow Andrey Gubarev for more posts like this

An Information Disclosure Statement (IDS) is now likely the most effective shield against IPR petitions, as explained in Acting USPTO Director Coke Morgan Stewart's new precedential decision in Ecto World v. RAI. This decision confirms that IDS-cited prior art strongly supports discretionary denial under 35 U.S.C. § 325(d) -- even when not particularly discussed or relied upon by the examiner. However, there's an important exception for "mega-IDSs," emphasizing that overly voluminous disclosures without clear relevance might weaken this new defense. This case involved 1000 references, and Stewart remanded to the PTAB to consider whether the burying of references overcomes the seeming presumption of discretionary denial. https://lnkd.in/grk6HKi6

💡 2025 sustainability statements: what issuers need to know ?  European Securities and Markets Authority (ESMA) has released its 2025 Common Enforcement Priorities, and Section 2 is a must-read for all professionals preparing sustainability disclosures under the ESRS. Some highlights : Which framework for 2025 reporting ? -         Rely only on the ESRS as published in Official Journal – not EFRAG drafts nor its “technical advice” to the Commission. Monitor the “Quick Fix” publication in the Official Journal for phase-in extensions provision. -         Consider adopting Taxonomy revised rules for FY25 disclosures even though applying the previous rules remains an option. The new rules are currently under scrutiny of co-legislators. Priority 1 - Materiality assessment -         Go beyond boilerplate information: explain how materiality criteria were adapted to the company’s own process, disclose data sources, scope, thresholds, and how stakeholder interests and views were integrated   -         Disclose how “gross” impacts (before mitigation actions) was considered in the assessment -         Link material IROs to strategy, and related policies, actions and targets. Map those IROs with ESRS topics and sub-topics and ensure completeness in their description (time horizon, origin of IRO, interdependencies) Priority 2 - Scope and structure of the sustainability statement -         Align the perimeters of sustainability and financial statements, cover material IROs across the value chain, be transparent on any scope limitation. -         Structure disclosures in 4 parts (cross cutting, E, S, G), use internal references but don’t excessively scatter information -         Connect sustainability statement with other parts of corporate reporting especially for financial statements 🔎 Read the whole statement here - section 2 from page 5 for sustainaibilty reporting : https://lnkd.in/eAPAx-7r 🔗 ESMA has also published a study examining 2024 disclosures of European issuers on DMA process and its outcomes. https://lnkd.in/eKKBJXxb   Laure Guégan Elena Fernández García Thomas Dallison Fenna Zwienenbarg Joyce Bruce Dennis Mar Corruchaga Elizalde Oliwia Czapska Frederic Papon Patrick Vinches Martin Margarida Guerra Enrico Perego Gabriele Cannata Michele Contini, PhD Rick D. Anne Bénédicte Montfort Gabriel Guevara Hendrik Bartsch Nelmari Hamman Nicole Pavlides CA (SA)  Roy Linthorst EMA RA Giorgio Alessio Acunzo

📘#ICAI Technical Guide on KPI Disclosure in Offer Documents (Oct. 2025 edition) Disclosure of key performance indicators (KPIs) in Initial Public Offer documents is crucial because they provide investors with insights into a company’s key operational and financial metrics that extend beyond standard accounting data, allowing for a more comprehensive and informed investment decision. KPIs enhance transparency and comparability by standardizing the information across companies and aligning issue pricing with critical business drivers, helping investors meaningfully evaluate the company’s growth prospects, risks, and valuation. This practice also bridges the information gap between public and pre-IPO investors, ensuring all stakeholders have access to material performance measures relevant to the company’s valuation. The SEBI (Issue of Capital and Disclosure Requirements) Regulations, 2018 require Issuer Companies to disclose Key Performance Indicators (KPIs) in the Initial Public Offer (IPO) document that are relevant for determining the basis of the Issue Price. The Auditing and Assurance Standards Board (AASB) of the Institute of Chartered Accountants of India (ICAI) had previously issued the “Technical Guide on Disclosure and Reporting of Key Performance Indicators (KPIs) in Offer Documents” in April 2023. In view of the recent amendments introduced through the ISF KPI Standards, AASB undertook the important task of revising this Technical Guide.

Technical Line - How the climate-related disclosures under the SEC rules, the ESRS and the ISSB standards compare The EY Technical Line has been updated to reflect recent developments, including the adoption of the SEC’s new climate-related disclosure rules. The publication highlights key differences among the SEC’s climate-related disclosure rules, the ESRS and the ISSB standards. It is intended to help entities with significant operations in multiple jurisdictions understand the rules and final standards. https://lnkd.in/emQs6ycy