Key Takeaways from Four SEC Cybersecurity Disclosure Enforcement Actions
The U.S. Securities and Exchange Commission (the “SEC”) has sent a clear message that it is scrutinizing corporate cybersecurity disclosures, and companies need to take their reporting obligations seriously. In a bold move, the agency recently settled four enforcement actions against U.S.-listed companies for allegedly misleading statements about cybersecurity incidents.
Each case involved a company – three U.S. domestic companies and one foreign private issuer – that used the SolarWinds Orion software, which had been infected in 2020 with malicious code by a reportedly nation-state-supported threat actor. According to the SEC’s orders, the companies learned in 2020-2021 that the threat actor likely behind the SolarWinds Orion hack had accessed their systems without authorization.
In the enforcement actions, the SEC alleged that the companies had minimized the impact of the cybersecurity incidents in their public disclosures, including in annual reports on Form 10-K and Form 20-F, violating the antifraud provisions of Section 17(a)(2) and Section 17(a)(3) of the U.S. Securities Act of 1933 (the “Securities Act”). The SEC also alleged violations of Section 13(a) of the U.S. Securities Exchange Act of 1934 (the “Exchange Act”) and its rules, which require companies to file certain reports with the SEC in conformity with the SEC’s rules and regulations. One company was also charged with violating Exchange Act Rule 13a-15(a), which requires the maintenance of disclosure controls and procedures designed to ensure that information required to be disclosed in Exchange Act reports is recorded, processed, summarized, and reported within the time periods specified in the SEC’s rules and forms.1
Notably, SEC Commissioners Hester Peirce and Mark Uyeda, who have voted against most of the SEC’s rulemakings under Chair Gary Gensler, issued a joint statement criticizing the enforcement actions as engaging in a “hindsight review to second-guess the disclosure” and an attempt to regulate by enforcement.
The cases underscore the critical need for U.S.-listed companies, including foreign private issuers, to focus on their cybersecurity disclosures. When drafting (and defending) disclosure in connection with cybersecurity incidents, the following considerations should be taken into account, balanced with the concerns raised by the dissenting commissioners:
- Designing and implementing disclosure controls and procedures to ensure escalation of potentially material cybersecurity incidents. Among other things, the company that paid the significantly largest settlement ($4 million as compared to $1 million or less for the other three) was charged with failure to maintain an effective process for escalating information to senior management and disclosure decision-makers. According to the SEC’s order, the company’s materially misleading statements resulted in part from the company’s failure to design controls and procedures to ensure (1) that information about potentially material cybersecurity incidents was timely recorded, processed, summarized and reported, within the time period specified as appropriate in the SEC’s rules and forms; and (2) that information was accumulated and communicated to the company’s management to allow timely decisions about materiality and required disclosures. In this case, senior members of the company’s IT/cybersecurity team failed to escalate the company’s network compromise, including the exfiltration of at least 33GB of data by an unauthorized threat actor, to the legal team and executive management. The dissenting commissioners’ disagreement with the factual finding that the company did not maintain disclosure controls and procedures does not undercut the importance of establishing and maintaining robust disclosure controls and procedures regarding cybersecurity incidents.
- Updating hypothetical risks to reflect cybersecurity incidents if they have occurred. In one case, the company framed risks from cybersecurity events as hypothetical despite the company’s awareness of the SolarWinds incident-related activity, thereby rendering the disclosures materially misleading, according to the SEC’s order. Another company included cybersecurity risk factor disclosures that the SEC called “virtually unchanged” from the same disclosures in prior public filings, even though the company had since identified a long-term cybersecurity compromise where a reportedly nation-state-supported threat actor had infiltrated the company’s network for several months undetected. The SEC also noted that a general statement such as “the company encounters intrusions or attempts at gaining unauthorized access but none have a materially adverse impact” was materially misleading when the company was aware of the SolarWinds incident, because doing so framed any intrusion as not material. However, as pointed out by the dissenting commissioners, the SEC had brought charges against SolarWinds relating to similar risk disclosures, and those charges were dismissed by the SDNY in part for being impermissibly based on hindsight. The dissenting commissioners also argued that updating risk factors because certain hypothetical risks have materialized is not always a straightforward matter, and warned that the SEC should be judicious in bringing charges in this area. Nevertheless, the cases highlight the importance of refreshing generic cybersecurity disclosure with information about specific incidents and reconsidering a company’s particular cybersecurity risk profile, taking into account materiality principles (as discussed further below).
- Details about the scope and impact of an incident. The SEC charged one company with negligently creating a materially misleading picture of an incident, providing quantification regarding certain aspects of the incident but not disclosing additional material information on its scope and impact. For example, in the SEC’s view, although exfiltrated code represented a small portion of the company’s complete product code, the functions it served were important to the security of the company’s overall service offering, and therefore, its exposure to a reportedly nation-state-supported threat actor would be material to investors. According to the SEC’s order, another company disclosed that it had identified “evidence of access to a limited number of Company email messages” and “no current evidence of unauthorized access to our other internal systems” when in fact the threat actor had accessed at least 145 shared files and one compromised mailbox belonged to one of the company’s cybersecurity personnel. The dissenting commissioners, however, argued that the SEC has said that cybersecurity incident disclosure should focus primarily on the impacts of the incident, rather than on “details regarding the incident itself,” noting that:
- information such as the identity of the threat actor, the number or percentage of files accessed, and the owner of a compromised mailbox are all details about the incident itself which are not required to be disclosed; and
- in order to avoid being second-guessed by the SEC, companies will overcompensate by filling their Form 8-K disclosures with immaterial details about an incident, or worse, providing disclosure about immaterial incidents, which the SEC staff has identified as problematic in prior guidance.2
- Cooperation with the SEC. In each of the four cases, the SEC noted that it had considered the company’s cooperation in deciding to accept the company’s settlement offer. Among other things, the cooperation included voluntarily conducting internal investigations, sharing the findings with the SEC staff, providing the SEC staff with detailed explanations and analysis, and taking steps to enhance cybersecurity controls. The dissenting commissioners, however, said that the SEC should not be forcing companies to augment their cybersecurity personnel, arguing that the SEC lacks authority to compel the adoption of specific risk management practices or to dictate the personnel decisions of companies in connection with cybersecurity.
* * *
Conducting cybersecurity materiality assessments and drafting cybersecurity incident disclosure is a balancing act that can be difficult to get right. This is particularly true as the SEC seeks to navigate and enforce its new cybersecurity disclosure rules. We are working with numerous clients on cyber preparedness, governance, strategy and disclosure together with incident response, and we invite you to reach out to your regular Linklaters contact if you would like to discuss approaches and options.
We will continue to monitor developments in these areas and encourage you to contact us if you have any questions.
1 In these enforcement actions, the SEC did not bring any claims based on Exchange Act Section 13(b)(2)(B), an internal accounting controls provision that the SEC claimed, in a 2023 enforcement action, that SolarWinds had violated in connection with its cybersecurity disclosures. Earlier this year, the Southern District of New York (“SDNY”) decisively rejected the SEC’s Section 13(b)(2)(B) claims against SolarWinds, holding that the provision “does not govern every internal system a public company uses to guard against unauthorized access to its assets,” but is limited to financial accounting controls. The SEC also did not allege violations of its recently adopted cybersecurity disclosure rules, as the events surrounding the disclosures (or lack thereof) occurred before the rules’ compliance date.
2 See Exchange Act Form 8-K Compliance and Disclosure Interpretation 104B.05 (“when assessing the materiality of cybersecurity incidents, registrants “should take into consideration all relevant facts and circumstances, which may involve consideration of both quantitative and qualitative factors” including, for example, “consider[ing] both the immediate fallout and any longer term effects on its operations, finances, brand perception, customer relationships, and so on, as part of its materiality analysis.”) and Disclosure of Cybersecurity Incidents Determined To Be Material and Other Cybersecurity Incidents (“it could be confusing for investors if companies disclose either immaterial cybersecurity incidents or incidents for which a materiality determination has not yet been made”).