Tag: cybersecurity disclosure
SEC Enforcement mini-sweep charges hypothetical risk factors and other misleading cyber disclosures
On Tuesday, the SEC announced settled charges against four companies for “making materially misleading disclosures regarding cybersecurity risks and intrusions. The charges against the companies, Unisys Corp., Avaya Holdings Corp., Check Point Software Technologies Ltd and Mimecast Limited, all resulted from an investigation of companies “potentially impacted by the compromise of SolarWinds’ Orion software and by other related activity.” (See this PubCo post and this PubCo post.) According to law.com, the SEC “began issuing sweep letters to potential SolarWinds hack victims back in 2021.” The SEC charged that each of these companies learned that the “threat actor” that was probably the cause of the SolarWinds hack had “accessed their systems without authorization, but each negligently minimized its cybersecurity incident in its public disclosures.” In two instances, the companies were alleged to have framed their disclosures as hypothetical or generic risks. Unisys was also charged with a disclosure controls violation. According to Sanjay Wadhwa, Acting Director of the SEC’s Division of Enforcement, “[a]s today’s enforcement actions reflect, while public companies may become targets of cyberattacks, it is incumbent upon them to not further victimize their shareholders or other members of the investing public by providing misleading disclosures about the cybersecurity incidents they have encountered….Here, the SEC’s orders find that these companies provided misleading disclosures about the incidents at issue, leaving investors in the dark about the true scope of the incidents.” Jorge G. Tenreiro, Acting Chief of the Crypto Assets and Cyber Unit, cautioned that “[d]ownplaying the extent of a material cybersecurity breach is a bad strategy….In two of these cases, the relevant cybersecurity risk factors were framed hypothetically or generically when the companies knew the warned of risks had already materialized. The federal securities laws prohibit half-truths, and there is no exception for statements in risk-factor disclosures.” The companies were each charged with violations of the Securities Act, the Exchange Act and related rules, and agreed to pay civil penalties ranging from $990,000 (Mimecast) to $4 million (Unisys). Commissioners Hester Peirce and Mark Uyeda dissented, contending that the SEC “needs to start treating companies subject to cyberattacks as victims of a crime, rather than perpetrators of one.”
Cooley Alert: Federal Court Dismisses Bulk of SEC’s Complaint Against SolarWinds in Cyberattack Case
The 2020 SolarWinds hack was perhaps one of the worst cyberattacks in history, reportedly directed by the Russian intelligence service and affecting 18,000 customers, including some very well-known companies and about a dozen government agencies including the Treasury, Justice and Energy departments. Following the cyberattack, the SEC filed a complaint against SolarWinds and its Chief Information Security Officer, charging securities “fraud and internal control failures relating to allegedly known cybersecurity risks and vulnerabilities.” (See this PubCo post.) SolarWinds and Brown then moved to dismiss the complaint for failure to state a claim. On July 18, 2024, a federal district court issued a 107-page opinion, dismissing most of the SEC’s case against SolarWinds and its CISO.
Corp Fin Director issues statement regarding sharing information about cybersecurity incidents
Yesterday, Corp Fin Director Erik Gerding issued a new statement, Selective Disclosure of Information Regarding Cybersecurity Incidents. As you know, last year the SEC adopted new rules regarding cybersecurity disclosure, including requirements for both material incident reporting on Item 1.05 of Form 8-K and periodic disclosure of material information regarding cybersecurity risk management, strategy and governance. (See this PubCo post.) Gerding’s new statement is designed to disabuse companies of the idea that the new rules preclude them from discussing information about a material cybersecurity incident with others, including their commercial counterparties, beyond the information included in the Form 8-K. Gerding assures us that “[t]hat is not the case.” But while the new rules may not prohibit disclosure, what about Reg FD?
Statement of Corp Fin Director on reporting cybersecurity incidents on Form 8-K
Yesterday, Corp Fin Director Erik Gerding issued a statement designed to clarify the use of Form 8-K Item 1.05 versus Form 8-K Item 8.01 when reporting cybersecurity incidents. Sounds like some of us might be doing it incorrectly—or at least sub-optimally—potentially resulting in investor confusion. Gerding’s statement is designed to set us straight. He also offers a little guidance about making materiality determinations regarding cybersecurity incidents.
What happened at the Corp Fin Workshop of PLI’s SEC Speaks 2024?
At the Corp Fin Workshop last week, a segment of PLI’s SEC Speaks 2024, the panel focused on disclosure review, a task that occupies 70% of Corp Fin attorneys and accountants. The panel discussed several key topics, looking back to 2023 and forward to 2024. Some of the presentations are discussed below.
SEC charges SolarWinds and CISO with securities fraud and control failures
You remember the 2020 SolarWinds hack, perhaps one of the worst cyberattacks in history? As NPR described it in 2021, we all regularly receive routine software updates like this one:
“‘This release includes bug fixes, increased stability and performance improvements’…. Last spring, a Texas-based company called SolarWinds made one such software update available to its customers. It was supposed to provide the regular fare—bug fixes, performance enhancements—to the company’s popular network management system, a software program called Orion that keeps a watchful eye on all the various components in a company’s network. Customers simply had to log into the company’s software development website, type a password and then wait for the update to land seamlessly onto their servers. The routine update, it turns out, is no longer so routine. Hackers believed to be directed by the Russian intelligence service, the SVR, used that routine software update to slip malicious code into Orion’s software and then used it as a vehicle for a massive cyberattack against America. ‘Eighteen thousand [customers] was our best estimate of who may have downloaded the code between March and June of 2020,’”
according to the Company’s CEO. And not just any customers—the Company determined that many very well-known companies and about a dozen government agencies were compromised, including the Treasury, Justice and Energy departments, the Pentagon and, ironically, the Cybersecurity and Infrastructure Security Agency, part of the Department of Homeland Security. On Monday, the SEC announced that it had filed a complaint against SolarWinds and its Chief Information Security Officer, Timothy G. Brown, charging ‘fraud and internal control failures relating to allegedly known cybersecurity risks and vulnerabilities.” In the complaint, the SEC charges that “SolarWinds’ public statements about its cybersecurity practices and risks painted a starkly different picture from internal discussions and assessments about the Company’s cybersecurity policy violations, vulnerabilities, and cyberattacks.” According to Gurbir S. Grewal, Director of the SEC’s Division of Enforcement, the SEC’s enforcement action “underscores our message to issuers: implement strong controls calibrated to your risk environments and level with investors about known concerns.”
SEC adopts final rules on cybersecurity disclosure [UPDATED]
[This post revises and updates my earlier post primarily to provide a more detailed discussion of the contents of the adopting release.]
At an open meeting on Wednesday last week, the SEC voted, three to two, to adopt final rules on cybersecurity disclosure. In his statement at the open meeting, Commissioner Jaime Lizárraga shared the stunning statistics that, last year, 83% of companies experienced more than one data breach, with an average cost of in the U.S. of $9.44 million; breaches increased 600% over the last decade and total costs across the U.S. economy could run as high as trillions of dollars per year. Given the ubiquity, frequency and complexity of these threats, in March last year, the SEC proposed cybersecurity disclosure rules intended to help shareholders better understand cybersecurity risks and how companies are managing and responding to them. Although a number of changes to the proposal were made in the final rules in response to objections that the proposal was too prescriptive and could increase companies’ vulnerability to cyberattack, the basic structure remains the same, with requirements for both material incident reporting on Form 8-K and periodic disclosure of material information regarding cybersecurity risk management, strategy and governance. According to SEC Chair Gensler, “[w]hether a company loses a factory in a fire—or millions of files in a cybersecurity incident—it may be material to investors….Currently, many public companies provide cybersecurity disclosure to investors. I think companies and investors alike, however, would benefit if this disclosure were made in a more consistent, comparable, and decision-useful way. Through helping to ensure that companies disclose material cybersecurity information, today’s rules will benefit investors, companies, and the markets connecting them.”
SEC adopts final rules on cybersecurity disclosure
In remarks to the audience at a Financial Times summit earlier this month, Gurbir Grewal, SEC Director of Enforcement, citing a recent poll from Deloitte, observed that over “a third of executives reported that their organization’s accounting and financial data was targeted by cyber adversaries last year.” As threats increase, Grewal maintained, cybersecurity is “foundational to maintaining the integrity of not just our securities markets, but our economy as a whole.” (See this PubCo post.) Similarly, in remarks in January 2022, SEC Chair Gary Gensler suggested that the economic cost of cyberattacks could possibly be in the trillions of dollars, taking many forms, including denials-of-service, malware and ransomware. It’s also a national security issue. He reminded us that “cybersecurity is a team sport,” and that the private sector is often on the front lines. And, in his statement at the SEC open meeting yesterday morning, Commissioner Jaime Lizárraga shared the eye-opening stats that, last year, 83% of companies experienced more than one data breach, with an average cost of in the U.S. of $9.44 million; breaches increased 600% over the last decade. Given the ubiquity, frequency and complexity of these threats, in March last year, the SEC proposed cybersecurity disclosure rules intended to help shareholders better understand cybersecurity risks and how companies are managing and responding to them. At an open meeting yesterday morning, the SEC voted, three to two, to adopt final rules on cybersecurity disclosure. Although a number of changes to the proposal were made in response to comments, the basic structure remains the same in the final rules, with requirements for both material incident reporting on Form 8-K and periodic disclosure of material information regarding cybersecurity risk management, strategy and governance. According to Gensler, “[w]hether a company loses a factory in a fire—or millions of files in a cybersecurity incident—it may be material to investors….Currently, many public companies provide cybersecurity disclosure to investors. I think companies and investors alike, however, would benefit if this disclosure were made in a more consistent, comparable, and decision-useful way. Through helping to ensure that companies disclose material cybersecurity information, today’s rules will benefit investors, companies, and the markets connecting them.”
SEC posts Spring 2023 Reg-Flex Agenda—not much new but lots left to do
The SEC’s Spring 2023 Reg-Flex Agenda—according to the preamble, compiled as of April 10, 2023, reflecting “only the priorities of the Chair”—has now been posted. Here is the short-term agenda, which shows most Corp Fin agenda items targeted for action by October 2023, potentially making the next four months an especially frenetic period, with only a few proposal-stage items targeted for April 2024. And here is the long-term (maybe never) agenda. Describing the new agenda, SEC Chair Gary Gensler observed that “[t]echnology, markets, and business models constantly change. Thus, the nature of the SEC’s work must evolve as the markets we oversee evolve. In every generation since President Franklin Roosevelt’s, our Commission has updated its ruleset to meet the challenges of a new hour. Consistent with our legal mandate, guided by economic analysis, and informed by public comment, this agenda reflects the latest step in that long tradition.”
The short-term agenda includes a half dozen or so potential proposals that were on the Fall 2022 agenda, but didn’t quite make it out of the starting gate, such as plans for disclosure regarding corporate board diversity and human capital. Similarly, issues related to the private markets are still awaiting proposals. The question of why and how to address the decline in the number of public companies has, in the recent past, been a point of contention among the commissioners: is excessive regulation of public companies a deterrent to going public or has deregulation of the private markets juiced their appeal, but sacrificed investor protection in the bargain? That debate may play out in the coming months with two new proposals targeted for October this year: a plan to amend the definition of “holders of record” and a proposal to amend Reg D, including updates to the accredited investor definition. And the behemoth proposal regarding climate change disclosure—identified on the last agenda as targeted for final action but not considered for adoption on the schedule as planned—reappears on the current calendar with a later target date. Will that new target be met? Notably, political spending disclosure is, once again, not identified on the agenda. That’s because Section 633 of the Appropriations Act once again prohibits the SEC from using any of the funds appropriated “to finalize, issue, or implement any rule, regulation, or order regarding the disclosure of political contributions, contributions to tax exempt organizations, or dues paid to trade associations.”
Ransomware attack—SEC charges misleading disclosures and disclosure control failure—again!
Last week, the SEC announced settled charges against Blackbaud, Inc., a provider of donor data management software to non-profit organizations, for misleading disclosures and disclosure control failures. According to the SEC, in May 2020, employees at the company discovered evidence of a ransomware attack. After an investigation, the company announced the incident and advised affected customers—specifying that sensitive donor data was not involved. But just a couple of weeks later, the SEC alleged, company personnel learned that the attacker had, in fact, accessed sensitive donor data for a number of customers—including bank account and social security numbers. But—you guessed it—it’s disclosure controls again! The personnel with knowledge of the scope of the breach “did not communicate this to Blackbaud’s senior management responsible for disclosures, and the company did not have policies or procedures in place designed to ensure they do so.” As a result, the SEC claimed, the company filed a Form 10-Q that still omitted mention of the exfiltration of sensitive donor data and framed its cybersecurity risk factor disclosure as purely hypothetical. The SEC viewed Blackbaud’s disclosure as misleading and its disclosure controls as inadequate and imposed a civil penalty of $3 million. According to the Chief of SEC Enforcement’s Crypto Assets and Cyber Unit, “Blackbaud failed to disclose the full impact of a ransomware attack despite its personnel learning that its earlier public statements about the attack were erroneous….Public companies have an obligation to provide their investors with accurate and timely material information; Blackbaud failed to do so.”
You must be logged in to post a comment.