The Unique Challenges of Companies Born in the Cloud

The rapid shift towards cloud-based environments has fundamentally altered how organizations manage their security policies. For legal firms, which handle sensitive client data and must comply with stringent regulatory requirements, understanding the nuances of cloud security is paramount. The differences between securing on-premises networks and fully cloud-based environments are stark, and failing to adapt to these changes can lead to significant vulnerabilities.

Rich Mogull, Chief Information Security Officer (CISO) at FireMon, recently shed light on these challenges during an appearance on Paul’s Security Weekly. Mogull's insights are particularly relevant for legal firms as they navigate the complexities of cloud security, especially when considering technologies like Secure Access Service Edge (SASE) and Software-Defined Wide Area Network (SD-WAN) to enhance network access for remote users.

1. The Democratization of Security in the Cloud

One of the most significant shifts in cloud-based environments is what Mogull refers to as the "democratization" of security. In traditional on-premises networks, security was naturally centralized and managed through a gatekeeping approach, often controlled by IT departments. However, in the cloud, this centralized control has become decentralized. For legal firms, this means that security practices must evolve to address this new, distributed environment.

Mogull emphasized the importance of privilege management and engaging with security teams across various siloes. For legal professionals, this could involve rethinking how access controls are implemented and ensuring that sensitive data remains protected, even in a more fragmented infrastructure.

2. Cloud Governance: The Foundation of Security

For legal firms transitioning to or operating in a cloud-based environment, establishing robust cloud governance is critical. This involves setting clear policies and procedures for managing cloud resources, ensuring compliance with legal and regulatory standards, and maintaining control over who has access to what.

Mogull's advice to "start by fixing cloud governance" is particularly pertinent. In the legal industry, where compliance with regulations like GDPR, HIPAA, and others is non-negotiable, having a well-defined governance framework can prevent data breaches and unauthorized access to sensitive information.

3. Adopting the Role of a Security Champion

Mogull also highlighted the value of adopting the concept of a "security champion" within organizations. For legal firms, this could mean designating a security advocate within each practice area or department who is responsible for promoting best practices and ensuring that security policies are followed.

The role of a security champion is to bridge the gap between the IT security team and other departments, making sure that everyone understands the importance of adhering to security protocols, particularly in a cloud-based environment where traditional perimeter defenses no longer apply.

4. Enhancing Cloud Security Visibility

Visibility into cloud environments is crucial for detecting and responding to security incidents in real-time. Legal firms must ensure that they have the tools and processes in place to monitor cloud activity continuously. This includes tracking access logs, monitoring for unusual behavior, and ensuring that all cloud resources are properly configured.

Mogull's recommendation to "improve your cloud security visibility" aligns with the need for legal firms to have a clear view of their cloud infrastructure. This visibility is essential for identifying potential threats before they can cause harm, especially given the sensitive nature of the data that legal firms handle.

5. Managing the Blast Radius of Attacks

In the event of a security breach, the concept of managing the "blast radius" becomes critical. This refers to the extent of damage that can be caused by a single security incident. Mogull advises using multiple accounts to manage this risk, thereby limiting the potential impact of an attack.

For legal firms, this might involve segmenting data and resources across different cloud accounts or environments to ensure that a breach in one area does not compromise the entire system. This approach can also help in meeting compliance requirements by isolating sensitive data and applying the necessary security controls.

6. Strengthening Cloud-Native Incident Response

Finally, Mogull advocates for leveling up cloud-native incident response capabilities. Legal firms must be prepared to respond swiftly to security incidents in the cloud, using tools and strategies that are specifically designed for cloud environments.

This includes having a well-practiced incident response plan that accounts for the unique challenges of the cloud, such as the need to quickly identify and isolate affected resources, communicate with stakeholders, and mitigate the impact of the breach.

Conclusion: Embracing Cloud Security in the Legal Industry

As legal firms continue to adopt cloud-based technologies, understanding and addressing the unique security challenges that come with this shift is critical. By following the insights provided by experts like Rich Mogull, legal professionals can ensure that their firms are well-protected against the evolving threat landscape.

Implementing robust cloud governance, enhancing security visibility, managing access controls, and preparing for incidents are all essential steps in safeguarding sensitive client information and maintaining compliance with legal and regulatory standards.

As the legal industry increasingly moves to the cloud, those firms that invest in the right security strategies and technologies will be better positioned to protect their clients and maintain their reputations in a rapidly changing digital world.

Gayatri GuptaAugust 20, 2024

Nasdaq Compliance

The Nasdaq Stock Market features three tiers of listed companies, namely: (1) The Nasdaq Global Select Market, (2) The Nasdaq Global Market, and (3) The Nasdaq Capital Market. These tiers are characterized by progressively stringent listing requirements, with the Nasdaq Global Select Market setting the highest standards for initial listings and the Nasdaq Capital Market serving as the entry-level tier, particularly suitable for most small-cap issuers.

To list securities on Nasdaq, a company must fulfill minimum listing requirements, encompassing defined criteria related to financial performance, liquidity, and corporate governance. Nasdaq retains extensive discretion in the listing process and reserves the right to reject an application, even if the technical prerequisites are satisfied, if it deems such denial essential to safeguard the interests of investors and the public.

After securing a listing on Nasdaq, a company is obligated to adhere to ongoing listing standards. To initiate the listing process, a company seeking inclusion on Nasdaq must diligently complete and submit a comprehensive listing application to Nasdaq. This application should include specific documents and information as outlined by Nasdaq's requirements.

Typically, the application process spans a duration of four to six weeks. Once the application is submitted, a Nasdaq analyst is designated as the primary liaison with the company. Within two to three weeks of submission, the company can expect to receive an initial comment letter. The comment and review process persists until a decision is reached on the approval or denial of the application. Similar to filing with the SEC, a meticulously prepared Nasdaq application tends to attract fewer comments and facilitates a more streamlined process. Generally, the company's securities counsel assumes a leading role, serving as the primary contact for preparing the application and engaging in communication with Nasdaq.

Similarly to the SEC review process, Nasdaq conducts a thorough examination of publicly accessible information pertaining to a company. This encompasses, but is not limited to, SEC filings, the company's website, management communications and speeches, as well as press releases. The iterative nature of the review process typically doesn't necessitate a formal protocol, and communication is commonly facilitated through email correspondence and phone calls.

Listing Criteria For Nasdaq
For a company to list its securities on Nasdaq, it must satisfy the following criteria:

Specific Initial Requirements:
- Quantitative Standards: Meeting defined thresholds for both quantitative and qualitative factors.
- Qualitative Standards: Fulfilling certain qualitative benchmarks.
Continuing Requirements:
- Quantitative Criteria: Adhering to ongoing quantitative benchmarks.
- Qualitative Criteria: Maintaining specified qualitative standards.

The initial quantitative thresholds are typically set at a higher level than those required for continued listing. This distinction aims to ensure that companies achieve a sufficient level of maturity before being listed. Additionally, Nasdaq imposes rigorous corporate governance standards that listed companies must adhere to throughout their tenure on the exchange.

Before formally submitting a comprehensive listing application, a company has the option to pursue a preliminary listing eligibility review. In this stage, the Listing Qualifications Staff conducts a thorough examination of the company's public filings to assess its compliance with numerical listing requirements. Additionally, the team evaluates the company's adherence to corporate governance requirements outlined in the Marketplace Rules ("Rules"). This preliminary review provides valuable insights into the company's eligibility for listing on Nasdaq before committing to the full application process.

Upon completion of the preliminary review, the Listing Qualifications Staff will make an assessment regarding whether the company meets the numerical listing criteria. Additionally, any corporate governance or regulatory concerns raised during this phase will be considered to determine their impact on the listing approval. It's important to note that while the preliminary review provides insights, final approval necessitates the submission of a formal listing application. This application undergoes a thorough examination by the NASDAQ Listing Qualifications Staff. Furthermore, the final approval process involves satisfactory compliance with specific qualitative reviews. This includes an examination of the regulatory history of the company's officers, directors, and significant shareholders. Meeting these criteria is integral to obtaining the final approval for listing on Nasdaq.

Financial And Liquidity Requirements

    Requirements

    Equity Standard
    Market Value of Listed Standard
    Net Income Standard

    Listing Rules

    5505(a)
and
5505(b)(1)
    5505(a)
and
5505(b)(2)
    5505(a)
and
5505(b)(3)
    
    Stockholders Equity

    	$5 million
    	$4 million
    	$4 million
    
    The market value of publicly held shares

    $15 million
    $15 million
    $
      5 million
    
    Operating History

    	Two years
    N/A
    N/A
    
    The market value of listed securities

    N/A
    $50 million
    N/A
    
    Net income from continuing operations (in the latest fiscal
a year or in two of the last three
fiscal years)

    N/A
    N/A
    $750,000
    
    Publicly held shares

    	1 million
    	1 million
    	1 million
    
    Bid Price

    	$4
    	$4
    	$4)
    
    Closing Price

    	$3
    	$2
    	$43
    
    Corporate Governance

    Yes
    Yes
    Yes
    
    Total Shareholders

    300
    300
    300

Corporate Governance Requirements

Across all three tiers of the Nasdaq Stock Market, corporate governance requirements remain largely consistent. The categories encompassing corporate governance standards include:

Distribution of Annual or Interim Reports
Independent Directors
Audit Committee
Compensation Committee
Nomination of Directors
Code of Conduct
Annual Meetings
Solicitation of Proxies
Quorum
Conflict of Interest
Shareholder Approval
Voting Rights

These governance elements play a crucial role in ensuring transparency, accountability, and ethical conduct within listed companies, irrespective of the specific tier within the Nasdaq Stock Market.

Companies seeking listing on Nasdaq must adhere to specific corporate governance standards, including the following:

Compensation Committee with Independent Directors:
- The company is required to establish a compensation committee comprised of independent directors.
- The committee must consist of at least two members.
- Rule 5605(d)(2)(A) introduces an additional independence test for compensation committee members.
Responsibility for Executive Compensation:
- The compensation committee is tasked with determining or recommending to the entire board the compensation of the chief executive officer (CEO) and all other executive officers.

These standards are designed to ensure a level of independence and scrutiny in the decision-making processes related to executive compensation within the company.

The Application And Documents

The Nasdaq application package encompasses several key components:

Symbol Reservation Form:
- Used to request the reservation of a specific trading symbol for the company.
Listing Application:
- Requires supplemental documents and details about the company's financials, operations, and other pertinent information.
Listing Agreement:
- A formal agreement outlining the terms and conditions of the listing on Nasdaq.
Corporate Governance Certification:
- A certification affirming the company's commitment to meeting Nasdaq's corporate governance standards.
Initial Application Fee:
- Payable via check or wire transfer, this fee is a prerequisite for initiating the listing process.
Logo Submission Form:
- Used for submitting the company's logo for use in Nasdaq's materials.

These application forms are completed through the Nasdaq website listing center, utilizing the online platform to facilitate the submission of supplemental and supporting documents. It is advisable to thoroughly review all required paperwork in advance, ensuring that the necessary information is readily available before initiating the application process.

Symbol Reservation Form

The symbol reservation form is a concise, one-page electronic form where applicants input information for Nasdaq's consideration. Nasdaq symbols, limited to 1-5 characters, adhere to guidelines established by the Intermarket Symbols Reservation Authority (ISRA). The ISRA system is designed to organize symbols efficiently, prevent duplication, and reduce programming and operational complexities. The ISRA operates within the framework of the NMS Symbology Plan, a plan utilized by Nasdaq.

Key details about the symbol reservation process:

Symbol Choices:
- The form allows applicants to propose three symbol choices in order of preference.
- While Nasdaq generally honors the first choice if available, it retains the authority to assign, rescind, or reassign a trading symbol at its discretion.
ISRA and Nasdaq Authority:
- The ISRA and Nasdaq have overarching authority in managing the assignment of symbols.
Additional Information:
- The form captures essential details about the issuer and the planned public offering.
- Information may include the name of the attorney, lead underwriter (if applicable), CEO and CFO names, yearly revenues, company website, and the sector in which the company operates.

Completion of this symbol reservation form initiates the process of securing a trading symbol on Nasdaq, and it's essential to provide accurate and comprehensive information to facilitate this stage of the listing application.

The Application

The Nasdaq listing application process is comprehensive and varies based on the circumstances surrounding the listing sought. There are twelve distinct listing applications catering to different situations, including changes of control, switches from other exchanges or markets, spin-offs, and initial public offerings (IPOs). Each application, spanning approximately seven pages, collects detailed information about the company, covering areas such as address, contact and billing details, securities attorney and auditor information, transfer agent particulars, and the company's officers and directors. Specific information on the company's securities, including type, par value, and cusip number, is also required.

Furthermore, the application mandates disclosure of legal proceedings involving the company, its officers or directors, or significant shareholders over the past ten years. This encompasses inquiries, investigations, lawsuits, litigation, arbitrations, and other legal and administrative proceedings. Documents supporting the backup and final disposition of these matters must be provided.

Regarding private offerings within the prior six months, including bridge financings, shelf registrations, and Regulation S offerings, the company is required to disclose such activities. Additionally, the application delves into the company's background, posing questions to ensure compliance with seasoning rules.

While Nasdaq retains the right to request relevant supporting documents, specific documents are mandatory based on the application type. For an uplisting from an existing U.S. market, the application must include letters from three market makers confirming their commitment to making a market in the subject securities. Other required documents include a listing agreement, a logo submission form, a corporate governance certification form, regulatory correspondence over the past 12 months, and shareholder confirmation documents. Nasdaq often seeks confirmation from the company's transfer agent regarding the eligibility of the security for the direct registration program (DRS).

During the review of an up listing application, Nasdaq may request additional information, such as a Broadridge share range analysis and NOBO list, a certified shareholder list, details about mitigating any going concerns or opinions, income statement and/or balance sheet projections for the next 12 months, and confirmation of Sarbanes Oxley Section 302 and 906 certifications by the company, among other inquiries related to compliance and financial matters.

The Listing Agreement

The Listing Agreement is a concise document, spanning two pages, serving as a formal affirmation of the company's commitment to adhere to all rules and regulations set forth by the Nasdaq Stock Market. It includes provisions for indemnifying and holding Nasdaq harmless from liability. Notable points in the agreement include:

Compliance Assurance:
- The company explicitly agrees to comply with all rules and regulations stipulated by the Nasdaq Stock Market.
Indemnification Clause:
- The company indemnifies Nasdaq, meaning it undertakes to compensate or reimburse Nasdaq for any losses or damages incurred. This includes harm resulting from third-party trademark infringement claims related to the company's symbol and logo, as well as Nasdaq's use of the same.
Disclaimer of Warranty and Liability:
- The agreement contains a disclaimer of warranty and liability against Nasdaq for trading issues, with the exception of those resulting from gross negligence or willful misconduct.

This agreement establishes a clear framework for the relationship between the listed company and Nasdaq, emphasizing the company's commitment to regulatory compliance while providing indemnification for certain specified matters and delineating the scope of Nasdaq's liability.

Corporate Governance Certification Form

The corporate governance certification form certifies compliance with the governance requirements related to an audit committee, director nomination process, compensation committee, board composition, executive sessions, quorum, and codes of conduct. Where an exemption applies, the form requires specification of the exemption terms. The document specifies the different rules and exceptions in a check-the-box format.

Logo Submission Form

The logo submission form contains the guidelines for the logo and affirms Nasdaq’s rights to use the same. Nasdaq uses company logos in its marketing materials, on the MarketSite Video Wall and Tower, and websites.

Fees

Entry fees are based upon the aggregate number of shares to be listed at the time of initial listing, regardless of class, with a maximum cap of $75,000. Fees are assessed on the entry date in The Nasdaq Capital Market, except for $5,000, representing a non-refundable application fee. This fee must be submitted with the company’s application.

Nasdaq does not charge application or entry fees for any securities transferred from a national securities exchange.

Benefits Of Trading On An Exchange

There are many benefits to trading on an exchange instead of the OTC Markets. The most significant benefits to a business are the ability to attract analyst coverage and institutional investors and the corresponding increase in liquidity that comes with both. Stocks that trade on Nasdaq tend to have a lower bid/offer spread — again encouraging trading volume and liquidity. Exchange-traded securities are exempt from the penny stock definition, allowing more market maker and broker-dealer participation. As further explained below, a broker-dealer cannot recommend a penny stock transaction to its retail clients. Therefore, no analysts, financial advisors, or institutional investors make recommendations for purchases of penny stocks.

As an aside, this is one of the reasons that OTC Markets created the OTCQX market tier, which does not list penny stocks. It is also why the small-cap industry is pushing for a supported valid venture exchange (for further reading.

In today’s world, depositing stock and/or trade-in non-exchange traded securities is increasingly difficult. Despite the congressional efforts and SEC rulemaking in support of small-cap capital formation (for example, the JOBS Act, including the emerging growth company regulations, new Regulation A+ and Title III Crowdfunding and the new FAST Act), through enforcement and investigative proceedings, both the SEC and FINRA continue to apply pressure on broker-dealers, clearing firms and transfer agents to reduce the secondary trading and free flow of penny stocks. For more information on difficulties in depositing stocks.

Further On Penny Stocks

NASDAQ and NYSE MKT traded securities are exempted from the definition of a “penny stock” due to the initial and ongoing listing standards. Penny stock rules focus on broker-dealers’ activity in effectuating trades in penny stocks. The Securities Enforcement Remedies and Penny Stock Reform Act of 1990 (the “Penny Stock Act”) prohibits broker-dealers from effecting transactions in penny stocks unless they comply with the requirements of Section 15(h) of the Securities Exchange Act of 1934, as amended (the “Exchange Act”). The rules promulgated thereunder, particularly Exchange Act rules 15g-1 through 15g-100 (the “penny stock rules”).

Section 15(h) of the Exchange Act provides that no broker or dealer may effectuate a customer’s purchase or sale of any penny stock unless such broker or dealer.

Approves the customer for the specific penny stock transaction and receives a written agreement to the transaction from the customer.
Furnishes the customer a risk disclosure document describing the risks of investing in penny stocks.
Discloses to the customer the current market quotation, if any, for the penny stock, including the bid and ask prices and the number of shares that apply to such bid and ask prices.
Discloses to the customer the amount of compensation the firm and its broker will receive for the trade.

In addition, after executing the sale, a broker-dealer must send its customer monthly account statements showing the market value of each penny stock held in the customer’s account.

Moreover, brokers and dealers subject to the penny stock rules are subject to additional disclosure requirements outlined in Rules 15g-2 through 15g-9. For my information on penny stocks and the rules affecting broker-dealer activity.

Securities Lawyer Blog