Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Incident Response

New Legislation May Give the SEC’s Breach Guidance Some Teeth

In the wake of a breach at Wyndham Worldwide that has resulted in a lawsuit against the company from the FTC, questions have emerged about why there was no SEC filing from the hotel and resort chain – given the guidance and recommendations published by the commission last year.

In the wake of a breach at Wyndham Worldwide that has resulted in a lawsuit against the company from the FTC, questions have emerged about why there was no SEC filing from the hotel and resort chain – given the guidance and recommendations published by the commission last year.

Last October, U.S. Securities and Exchange Commission’s Corporation Finance division released guidance to publically traded companies on cybersecurity incident disclosure. As things stand, the SEC stated, there are no requirements that mention cybersecurity. Yet, publically traded companies “should disclose the risk of cyber incidents if these issues are among the most significant factors that make an investment in the company speculative or risky.”

As mentioned, no such report has been filed with the SEC by Wyndham. The AP is reporting that Senator Jay Rockefeller is adding a provision to cybersecurity legislation that would give the SEC’s previously published guidance some teeth. According to the report, Rockefeller would direct the SEC’s commissioners to clearly define when companies must disclose breaches and outline the steps they are taking to protect corporate assets, including networks and data.

It isn’t clear if the legislation will pass or if the SEC will get any leverage to force companies to report breaches. As things stand now, they don’t have to and as such, they won’t. No company wants to talk about their failures.

As for Wyndham, the questions over their lack of commentary to the SEC (which they dispute, claiming that the notices on their corporate websites were enough) is only one issue, they still have a lawsuit to deal with. 

The FTC is suing the hotel and resort chain for security failures that resulted in three breaches in less than two years.

Wyndham Worldwide spokesperson Micahel Valentino told SecurityWeek that the company cooperated fully with the FTC’s investigation, and the accusations being levied are without merit.

“At the time of these incidents, we made prompt efforts to notify the hotel customers whose information may have been compromised, and offered them credit monitoring services,” he said in a statement. “To date, we have not received any indication that any hotel customer experienced a financial loss as a result of these attacks. Since these events, we have made significant enhancements to our information security, and have assisted franchised and managed Wyndham Hotels and Resorts-brand hotels in enhancing their information security.”

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.

Management & Strategy

Industry professionals comment on the recent disruption of the Hive ransomware operation and its hacking by law enforcement.

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...

Management & Strategy

Tens of cybersecurity companies have announced cutting staff over the past year, in some cases significant portions of their global workforce.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Funding/M&A

Twenty-one cybersecurity-related M&A deals were announced in December 2022.