It’s déjà vu all over again! On Monday, the SEC announced settled charges against Pearson plc, an NYSE-listed, educational publishing and services company based in London, for failure to disclose a cybersecurity breach. You might recall that just a few months ago, the SEC announced settled charges against another company for failure to timely disclose a cybersecurity vulnerability that led to a leak of data, with disclosure ultimately spurred by imminent media reports. Is there a trend here? In this instance, it wasn’t just a vulnerability—there was an actual known breach and exfiltration of private data. Nevertheless, Pearson decided not to disclose it and framed its cybersecurity risk factor disclosure as purely hypothetical. The SEC viewed that disclosure as misleading and imposed a civil penalty on Pearson of $1 million. The case serves as yet another reminder of the dangers of risk disclosures presented as hypothetical when those risks have actually come to fruition—a presentation that has now repeatedly drawn scrutiny in the context of cybersecurity disclosure.
In In re Alphabet Securities Litigation., the State of Rhode Island, as lead plaintiff, filed a Rule10b-5 action against Google LLC, its holding company Alphabet, Inc., and certain executives, alleging that the defendants failed to timely disclose certain cybersecurity defects and vulnerabilities. The district court granted defendants’ motion to dismiss the complaint, but on appeal, a three-judge panel of the 9th Circuit reversed in part, holding that the complaint “plausibly alleged” that the decision to omit information about these cybersecurity vulnerabilities “significantly altered the total mix of information available for decision-making by a reasonable investor” and that scienter—intent to deceive, manipulate or defraud—was adequately alleged. Importantly, the Court held that the complaint contained a plausible allegation that Alphabet’s omission was materially misleading: its risk factor discussion of cybersecurity was framed in the hypothetical, while, it was alleged, the “hypothetical” events had in fact already come to fruition. The case serves as a reminder of a couple of now-familiar themes: companies need to regularly review their risk factor disclosures, even when—or perhaps especially when—they are incorporating them by reference to ensure that they have been appropriately updated to reflect actual events that may have made the risks described as merely hypothetical no longer so. It’s also notable that this case represents the second recent instance of allegations of failure to disclose the discovery of a material cybersecurity “vulnerability”—in the absence of a cyberattack—with disclosure ultimately compelled by the publication of an article exposing the defects. It’s another reminder that companies need to be vigilant for potential disclosure obligations about cybersecurity that might arise outside the context of cyberattacks and hacks—in the more-difficult-to-assess context of cybersecurity vulnerabilities.
Once again, a “control failure” is a lever used by SEC Enforcement to bring charges against a company, this time for failure to timely disclose a cybersecurity vulnerability. Yesterday, the SEC announced settled charges against a real estate settlement services company, First American Financial Corporation, for violation of the requirement to maintain adequate disclosure controls and procedures “related to a cybersecurity vulnerability that exposed sensitive customer information.” This action follows charges regarding control violations against GE (see this PubCo post), HP, Inc. (see this PubCo post) and Andeavor (see this PubCo post) where, instead of attempting to make a case about funny accounting or, in Andeavor, a defective 10b5-1 plan, the SEC opted to make its point by, among other things, charging failure to maintain and comply with internal accounting controls or disclosure controls and procedures. Companies may want to take note that charges related to violations of the rules regarding internal controls and disclosure controls seem to be increasingly part of the SEC’s Enforcement playbook, making it worthwhile for companies to make sure that their controls are in good working order. Perhaps we should pirate the Matt Levine mantra, “everything is securities fraud” (see this PubCo post): how ’bout “everything is also a control failure”?
What are companies disclosing about their efforts to oversee cybersecurity risk? In this article, Ernst & Young analyzes cybersecurity-related disclosures in the proxy statements and Forms 10-K of Fortune 100 companies from 2018 to 2019, focusing on disclosure regarding board oversight, cybersecurity risk and risk management. Building on its similar analysis conducted for 2018 (see this PubCo post), EY detected “modest” enhancements in disclosures compared to the prior year—most significantly regarding board oversight practices—although the depth, detail and company-specificity of the disclosures continued to vary widely. Nevertheless, based on its observations of companies’ activities in the market, EY found that even these enhanced disclosures sometimes failed to capture all of a company’s oversight activities, such as third-party independent assessments or tabletop exercises designed to enhance preparedness. Given that many stakeholders have interests in cybersecurity risk preparedness and board oversight, EY advises, enhanced disclosure can serve to build “stakeholder confidence and trust as the cybersecurity risk landscape evolves and as technological innovations raise the stakes for data privacy and protections.”
In Senate testimony, SEC Chair offers insights into his thinking on a variety of issues before the SEC
In testimony last week before the Senate Committee on Banking, Housing and Urban Affairs, SEC Chair Jay Clayton gave us some insight into his thinking about a number of issues, including cybersecurity at the SEC, cybersecurity disclosure, the regulatory agenda, disclosure effectiveness, the shareholder proposal process, climate change disclosure, conflict minerals, compulsory arbitration provisions, stock buybacks, the decline in IPOs and overregulation (including some interesting sparring with Senator Warren). Whether any of the topics identified as problematic result in actual rulemaking—particularly in an administration with a deregulatory focus—is an open question.