Security researchers predict that organizations will be contending with the vulnerability (and its fallout) for months to come. CISA created a dedicated Log4j webpage to provide an authoritative, up-to-date resource with mitigation guidance and resources for network defenders as well as a community-sourced GitHub repository of affected devices and services. These government resources are setting the baseline on reasonable security for Log4j response and, in essence, providing a potential roadmap for legal compliance.
While the wolf at the door may be the technical challenge of identifying and remediating the vulnerability, public companies need to monitor the application of internal controls and procedures in the response. Companies should also assess the impact that the Log4j vulnerability may have on their business, financial condition and results of operations. These inquiries will feed into whether a public company has any disclosure obligations under US securities law. Indeed, the Securities and Exchange Commission (SEC) has emphasized that public companies must take “all required actions” to inform investors about material cybersecurity risks and incidents1 in a…
