In remarks yesterday before the Northwestern Pritzker School of Law’s Annual Securities Regulation Institute, SEC Chair Gary Gensler addressed cybersecurity under the securities laws. Gensler suggests that the economic cost of cyberattacks could possibly be in the trillions of dollars, taking many forms, including denials-of-service, malware and ransomware. It’s also a national security issue. He reminds us that “cybersecurity is a team sport,” and that the private sector is often on the front lines. Given the frequency of cybersecurity incidents, the SEC is “working to improve the overall cybersecurity posture and resiliency of the financial sector.” To Gensler, the SEC’s cybersecurity policy has three components: “cyber hygiene and preparedness; cyber incident reporting to the government; and in certain circumstances, disclosure to the public.” In his remarks, Gensler considered cybersecurity in a variety of contexts, including SEC registrants in the financial sector, such as broker-dealers, investment companies, registered investment advisers and other market intermediaries; service providers and the SEC itself, but his discussion of cybersecurity in the context of public companies is of most interest here.
With regard to public companies, Gensler viewed the basic bargain as this: “Investors get to decide what risks they wish to take. Companies that are raising money from the public have an obligation to share information with investors on a regular basis.” But the nature and extent of disclosure is not static; it evolves over time, and “cybersecurity is an emerging risk with which public issuers increasingly must contend.” Accordingly, Gensler has asked the staff to make recommendations involving “companies’ cybersecurity practices and cyber risk disclosures. This may include their practices with respect to cybersecurity governance, strategy, and risk management.” Although many companies already provide cyber risk disclosure, Gensler believes that both companies and investors would benefit from information that is presented in a “consistent, comparable, and decision-useful manner.” Those recommendations would also address whether and how to update companies’ disclosures to investors when cyber events have occurred. To be sure, he noted, companies are already obligated to make disclosure about events, such as customer data theft and ransomware, that may be material to investors. This point has been reinforced by recent Enforcement actions.
In June, the SEC announced settled charges against a real estate settlement services company, First American Financial Corporation, for violation of the requirement to maintain adequate disclosure controls and procedures “related to a cybersecurity vulnerability that exposed sensitive customer information.” According to the SEC’s order, in May 2019, the company was advised by a journalist that its “EaglePro” application for sharing document images had a vulnerability that exposed “over 800 million title and escrow document images dating back to 2003, including images containing sensitive personal data such as social security numbers and financial information.” That evening, the company issued a public statement and, on the next trading day, furnished a Form 8-K to the SEC. However, as it turns out, the company’s information security personnel had already identified the vulnerability in a report of a manual test of the EaglePro application about five months earlier, but failed to remediate it in accordance with the company’s policies. Importantly, for purposes of this case, they also failed to apprise senior executives about the report, including those responsible for making public statements, even though the information would have been “relevant to their assessment of the company’s disclosure response to the vulnerability and the magnitude of the resulting risk.” The company was found to have violated the requirement to maintain disclosure controls and procedures and ordered to pay a penalty of almost a half million dollars. (See this PubCo post.)
Then, in August, the SEC announced settled charges against Pearson plc, an NYSE-listed, educational publishing and services company based in London, for failure to disclose a cybersecurity breach. In this instance, it wasn’t just a vulnerability—there was an actual known breach and exfiltration of private data. As described in the SEC’s Order, in September 2018, Pearson was advised by one of its software manufacturers of a critical vulnerability in its software and notified of the availability of a patch to fix it. Pearson, however, failed to implement the patch. In March 2019, the company learned that a “sophisticated threat actor” used the unpatched vulnerability to access and download millions of rows of data. After the breach, Pearson implemented the patch and engaged a consultant to conduct an investigation, but “decided that it was not necessary to issue a public statement regarding the incident.” Instead, Pearson mailed a notice to its customer accounts and prepared a media statement to have ready in case of media inquiry. Nor did Pearson disclose the breach in its Form 6-K risk factors, instead leaving its previous cybersecurity risk factor—which described the risk as purely hypothetical—unchanged. The SEC viewed that disclosure as misleading and imposed a civil penalty on Pearson of $1 million. (See this PubCo post.)
[Below based on my notes, so standard caveats apply.]
In the high-powered panel that followed Gensler’s speech, consisting of former SEC Chair Mary Jo White, former SEC Commissioners Robert Jackson and Troy Paredes, former Director of Enforcement Stephanie Avakian and former Director of Corp Fin Bill Hinman, Avakian noted that the SEC has recently brought cases (described above) concerning cybersecurity issues: First American Financial, which she characterized as a “message case,” related to inadequate disclosure controls, while Pearson was a more standard misstatement case involving a hypothetical risk factor. The panel also noted the SEC’s 2018 guidance on cybersecurity, as well as its investigative report under Section 21(a) regarding cyber threats and internal accounting controls.
In 2018, the SEC announced that it had adopted long-awaited new guidance on cybersecurity disclosure. With the increasing importance of cybersecurity and the increasing incidence of cyber threats and breaches, the guidance cautioned, companies needed to review the adequacy of their disclosures regarding cybersecurity and consider how to augment their policies and procedures to ensure that information regarding cybersecurity risks and incidents is effectively communicated to management to allow timely decisions regarding required disclosure and compliance with insider trading policies. The guidance highlighted the pervasiveness of, and increasing reliance by companies on, digital technology to conduct their operations and engage with customers and others. That made companies in all industries vulnerable to the threat of cybersecurity incidents, such as stolen access credentials, malware, ransomware, phishing, structured query language injection attacks and distributed denial-of-service attacks. Whether these incidents were a consequence of unintentional events or deliberate attacks, the SEC cautioned that they represented a continuous risk to the capital markets and to companies, their customers and business partners, a risk that called for more timely and transparent disclosure.
The guidance built on Corp Fin’s 2011 guidance on this topic (see this Cooley News Brief). In addition to a discussion of disclosure obligations under existing laws and regulations, the 2018 guidance added in new discussions of cybersecurity policies and procedures, particularly with respect to disclosure controls and procedures, and insider trading and selective disclosure prohibitions. The guidance urged companies to assess whether their disclosure controls and procedures captured information about cybersecurity risks and incidents and ensured that it was reported up the corporate ladder to enable senior management to make decisions about whether disclosure was required and whether other actions should be taken. According to the guidance, “[c]ontrols and procedures should enable companies to identify cybersecurity risks and incidents, assess and analyze their impact on a company’s business, evaluate the significance associated with such risks and incidents, provide for open communications between technical experts and disclosure advisors, and make timely disclosures regarding such risks and incidents. The controls should also ensure that information is communicated to appropriate personnel to facilitate compliance with insider trading policies.” (See this Cooley Alert and this PubCo post.)
In 2018, the SEC also issued an investigative report under Section 21(a) that advised public companies subject to the internal accounting controls requirements of Exchange Act Section 13(b)(2)(B) of the need to consider cyber threats when implementing internal accounting controls. The report investigated whether a number of defrauded public companies “may have violated the federal securities laws by failing to have a sufficient system of internal accounting controls.” As described in the 21(a) report, Enforcement conducted investigations of nine listed public companies in a range of industries that experienced cyber fraud in the form of “business email compromises,” which involved perps sending spoofed or otherwise compromised electronic communications that purported to be from company executives or vendors. The perps then deceived company personnel into wiring substantial sums into the perps’ own bank accounts. In these instances, each company lost at least $1 million, and two lost more than $30 million for an aggregate (mostly unrecovered) loss of almost $100 million. And these weren’t one-time only scams: in one case, the company made 14 wire payments over several weeks for an aggregate loss of over $45 million, and another company paid eight invoices totaling $1.5 million over several months.
Although the SEC decided not to take any enforcement action against the nine companies investigated, the SEC determined to issue the report “to make issuers and other market participants aware that these cyber-related threats of spoofed or manipulated electronic communications exist and should be considered when devising and maintaining a system of internal accounting controls as required by the federal securities laws. Having sufficient internal accounting controls plays an important role in an issuer’s risk management approach to external cyber-related threats, and, ultimately, in the protection of investors.” Given our expanding reliance on electronic communications and digital technology for economic activity, the report advised companies to “pay particular attention to the obligations imposed by Section 13(b)(2)(B) to devise and maintain internal accounting controls that reasonably safeguard company and, ultimately, investor assets from cyber-related frauds.” In particular, the report focused on the requirements of Section 13(b)(2)(B)(i) and (iii) to “devise and maintain a system of internal accounting controls sufficient to provide reasonable assurances that (i) transactions are executed in accordance with management’s general or specific authorization,” and that “(iii) access to assets is permitted only in accordance with management’s general or specific authorization.” (See this PubCo post.)
White commented that prescribing mandatory rules for disclosure could be a “heavy lift,” and Hinman agreed that developing prescriptive disclosures in this context would be challenging. He also noted that cybersecurity disclosure was on the SEC’s most recent short-term reg-flex agenda. (See this PubCo post.) Hinman said that he had heard the idea floated of making a cybersecurity incident an 8-K reporting requirement, as well as discussion of disclosure of insider trading controls and board expertise and oversight around cybersecurity. Paredes observed that disclosure requirements can certainly have an impact on conduct.
A subsequent panel of general counsels noted that cybersecurity can require an enterprise-wide approach. One of the GCs stressed the importance, should a cybersecurity incident occur, of making sure that the team is not dealing with speculation but is addressing the facts of the situation—the facts often turn out to be quite different from the initial speculation. The panel also discussed the need for tabletop exercises. Several panelists also noted that setting company priorities in advance can be especially useful in the urgency of a cybersecurity incident.