In remarks delivered in 2022 before the Northwestern Pritzker School of Law's Annual Securities Regulation Institute, SEC Chair Gary Gensler reminded us that "cybersecurity is a team sport," and that the private sector is often on the front lines. (See this PubCo post.) He might have said the same thing about cyber resilience—the topic of a Financial Times summit held last month and the subject of remarks delivered to that audience by Gurbir Grewal, the current SEC Director of Enforcement. What is cyber resilience? As defined by Grewal, it's a concept that assumes that "breaches and cyber incidents are likely going to happen, and that firms must be prepared to respond appropriately when they do. In other words, it's not a matter of if, but when."
Citing a recent poll from Deloitte, Grewal observed that over "a third of executives reported that their organization's accounting and financial data was targeted by cyber adversaries last year." As threats increase, Grewal maintained, cybersecurity is "foundational to maintaining the integrity of not just our securities markets, but our economy as a whole." To maintain that integrity, the SEC has proposed rules aimed at cybersecurity for a variety of market participants, including companies. (See this PubCo post.) In actions taken, Enforcement is also doing its part to "ensure that registrants take their cybersecurity and disclosure obligations seriously," guided by the five principles discussed below; companies "would be well-served by considering them as they work to enhance their cyber resilience."
First, cyber attacks victimize not just the public company attacked, but also the investing public. Companies need to "make real-time decisions when responding to cyber events and around related disclosures"; it is important not to forget that "those decisions directly impact customers whose PII or financial information has been compromised—and those decisions may also be material to investors in publicly-traded companies." To that end, "in addition to ensuring that market participants are doing their part to prevent and respond to cyber events," Enforcement's "goal is to prevent additional victimization by ensuring that investors receive timely and accurate required disclosures. I believe that the enforcement actions that the SEC has brought to date in this space strike the right balance among these various considerations."
SideBar
Enforcement has certainly brought a number of actions related to cybersecurity—involving both misleading disclosures and inadequate disclosure controls. In 2021, the SEC announced settled charges against a real estate settlement services company, First American Financial Corporation, for violation of the requirement to maintain adequate disclosure controls and procedures "related to a cybersecurity vulnerability that exposed sensitive customer information." According to the SEC's order, in May 2019, the company was advised by a journalist that its "EaglePro" application for sharing document images had a vulnerability that exposed "over 800 million title and escrow document images dating back to 2003, including images containing sensitive personal data such as social security numbers and financial information." That evening, the company issued a public statement and, on the next trading day, furnished a Form 8-K to the SEC. However, as it turns out, the company's information security personnel had already identified the vulnerability in a report of a manual test of the EaglePro application about five months earlier, but failed to remediate it in accordance with the company's policies. Importantly, for purposes of that case, they also failed to apprise senior executives about the report, including those responsible for making public statements, even though the information would have been "relevant to their assessment of the company's disclosure response to the vulnerability and the magnitude of the resulting risk." The company was found to have violated the requirement to maintain disclosure controls and procedures and ordered to pay a penalty of almost a half million dollars. (See this PubCo post.)
Then, a couple of months later, the SEC announced settled charges against Pearson plc, an NYSE-listed, educational publishing and services company based in London, for failure to disclose a cybersecurity breach. In this instance, it wasn't just a vulnerability—there was an actual known breach and exfiltration of private data. As described in the SEC's Order, in September 2018, Pearson was advised by one of its software manufacturers of a critical vulnerability in its software and notified of the availability of a patch to fix it. Pearson, however, failed to implement the patch. In March 2019, the company learned that a "sophisticated threat actor" used the unpatched vulnerability to access and download millions of rows of data. After the breach, Pearson implemented the patch and engaged a consultant to conduct an investigation, but "decided that it was not necessary to issue a public statement regarding the incident." Instead, Pearson mailed a notice to its customer accounts and prepared a media statement to have ready in case of media inquiry. Nor did Pearson disclose the breach in its Form 6-K risk factors, instead leaving its previous cybersecurity risk factor—which described the risk as purely hypothetical—unchanged. The SEC viewed that disclosure as misleading and imposed a civil penalty on Pearson of $1 million. (See this PubCo post.)
In March of this year, the SEC announced settled charges against Blackbaud, Inc., a provider of donor data management software to non-profit organizations, for misleading disclosures and disclosure control failures. According to the SEC, in May 2020, employees at the company discovered evidence of a ransomware attack. After an investigation, the company announced the incident and advised affected customers—specifying that sensitive donor data was not involved. But just a couple of weeks later, the SEC alleged, company personnel learned that the attacker had, in fact, accessed sensitive donor data for a number of customers—including bank account and social security numbers. But—you guessed it—it's disclosure controls again! The personnel with knowledge of the scope of the breach "did not communicate this to Blackbaud's senior management responsible for disclosures, and the company did not have policies or procedures in place designed to ensure they do so." As a result, the SEC claimed, the company filed a Form 10-Q that still omitted mention of the exfiltration of sensitive donor data and framed its cybersecurity risk factor disclosure as purely hypothetical. The SEC viewed Blackbaud's disclosure as misleading and its disclosure controls as inadequate and imposed a civil penalty of $3 million. According to the Chief of SEC Enforcement's Crypto Assets and Cyber Unit, "Blackbaud failed to disclose the full impact of a ransomware attack despite its personnel learning that its earlier public statements about the attack were erroneous....Public companies have an obligation to provide their investors with accurate and timely material information; Blackbaud failed to do so." (See this PubCo post.)
Second, companies need to do more than pay lip service to their policies. According to Grewal, "firms need to have real policies that work in the real world, and then they need to actually implement them; having generic 'check the box' cybersecurity policies simply doesn't cut it." Here, Grewal points to Reg S-ID, the SEC's Identity Theft Red Flags Rule, which requires financial institutions "to develop and implement a written identity theft prevention program to identify, detect, and respond to 'red flags' that indicate possible identity theft." Enforcement has brought actions against several companies that, Grewal charged, just "paid lip service" to the requirements of the Rule, failing to properly implement their programs by failing to provide any guidance as to "how to identify or how to respond to those red flags once identified."
Third, companies must "regularly review and update all relevant cybersecurity policies to keep up with constantly evolving threats. What worked 12 months ago probably isn't going to work today, or at a minimum may be less effective." Grewal advised that companies and their counsel take a look at the SEC's "enforcement actions and public orders on these topics. They clearly outline what good compliance looks like and where and how registrants fall short with their cybersecurity obligations."
SideBar
On occasion, even when the SEC has decided against taking action, it has issued investigative reports. In 2018, the SEC issued an investigative report under Section 21(a) that advised public companies subject to the internal accounting controls requirements of Exchange Act Section 13(b)(2)(B) of the need to consider cyber threats when implementing internal accounting controls. The report investigated whether a number of defrauded public companies "may have violated the federal securities laws by failing to have a sufficient system of internal accounting controls." As described in the 21(a) report, Enforcement conducted investigations of nine listed public companies in a range of industries that experienced cyber fraud in the form of "business email compromises," which involved perps sending spoofed or otherwise compromised electronic communications that purported to be from company executives or vendors. The perps then deceived company personnel into wiring substantial sums into the perps' own bank accounts. In these instances, each company lost at least $1 million, and two lost more than $30 million for an aggregate (mostly unrecovered) loss of almost $100 million. And these weren't one-time only scams: in one case, the company made 14 wire payments over several weeks for an aggregate loss of over $45 million, and another company paid eight invoices totaling $1.5 million over several months.
Although the SEC decided not to take any enforcement action against the nine companies investigated, the SEC determined to issue the report "to make issuers and other market participants aware that these cyber-related threats of spoofed or manipulated electronic communications exist and should be considered when devising and maintaining a system of internal accounting controls as required by the federal securities laws. Having sufficient internal accounting controls plays an important role in an issuer's risk management approach to external cyber-related threats, and, ultimately, in the protection of investors." Given the expanding reliance on electronic communications and digital technology for economic activity, the report advised companies to "pay particular attention to the obligations imposed by Section 13(b)(2)(B) to devise and maintain internal accounting controls that reasonably safeguard company and, ultimately, investor assets from cyber-related frauds." In particular, the report focused on the requirements of Section 13(b)(2)(B)(i) and (iii) to "devise and maintain a system of internal accounting controls sufficient to provide reasonable assurances that (i) transactions are executed in accordance with management's general or specific authorization," and that "(iii) access to assets is permitted only in accordance with management's general or specific authorization." (See this PubCo post.)
Fourth, Grewal reminded us that "when a cyber incident does happen, the right information must be reported up the chain to those making disclosure decisions. If they don't get the right information, it doesn't matter how robust your disclosure policies are." To illustrate, he describes the action against First American Financial Corporation (discussed in the SideBar above) where, according to the order, "First American only disclosed the vulnerability after a reporter brought it to the company's attention. You see, although the company's information security personnel had actually identified that vulnerability months earlier, they failed to remediate it in accordance with the company's own policies. They then compounded those mistakes by failing to report it to the senior executives responsible for the company's disclosures. Those executives were, therefore, in the dark until the reporter brought the issue to light."
Fifth, Grewal cautioned that Enforcement has "zero tolerance for gamesmanship around the disclosure decision." Here, Grewal is critical of companies that are "more concerned about reputational damage than about coming clean with shareholders and the customers whose data is at risk. Companies might, for example, stick their head in the sand, or work hard to persuade themselves that disclosure is not necessary based on their hyper technical readings of the rules, or by minimizing the cyber incident." Not a good idea, Grewal emphasizes: "[i]t doesn't work for the customers whose data is at risk. It doesn't work for the shareholders who are kept in the dark about material information. And it most certainly doesn't work for the company, which will most likely face stiffer penalties once the breach gets out, as it invariably will, and if it turns out that the company violated its obligations." As an example of an action by Enforcement in this context, Grewal referred to the case against Pearson (discussed in the SideBar above), where the company "referred to that data privacy incident as a hypothetical risk, even though it had already occurred. Pearson did not disclose the breach until it was contacted by the media."
Grewal then advised, in the event of a material incident, that companies not wait too long to provide public disclosure and talk to the SEC about it. Companies can "always complete" their internal investigations "after meeting your disclosure obligations, if any, and reaching out to us." Companies that provide real cooperation with the SEC, "including by coming in to speak with us or self-reporting, receive real benefits, such as reduced penalties or even no penalties at all....In contrast, firms that do not fulfill their obligations will likely face civil penalties higher than they have in the past."
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.