The SEC is ramping up its cybersecurity disclosure enforcement. While the agency had made significant efforts relating to cybersecurity disclosure previously, there has been surprisingly little SEC activity in this area since 2018—even though the last three years has seen an explosion of high-profile data security incidents. That changed in June of this year, however, with the SEC taking three major actions that demonstrate a renewed interest in such enforcement. First, the SEC announced its intention to issue a new rule regulating cybersecurity risk governance disclosure. Second, it announced its first charges and settlement for cybersecurity disclosure violations since 2018. And third, it revealed a significant cybersecurity disclosure investigation relating to the recent SolarWinds supply-chain attack. In light of these developments, now would be a good time for issuers and registered entities to review the SEC’s expectations for cybersecurity disclosure, and implement any necessary changes to their respective policies and procedures, and disclosure practices.
The Current Guidance
In February 2018, the SEC issued an interpretative guidance letter outlining its expectations for public companies. The SEC’s most comprehensive cybersecurity disclosure guidance to date, the 24-page letter explored how existing general disclosure rules apply to cybersecurity disclosures specifically. It explained, for example, that both cybersecurity incidents and cybersecurity risks may constitute material information that companies should disclose in their filings. It therefore recommended that companies adopt “comprehensive policies and procedures related to cybersecurity” in order to identify any material cybersecurity information and report it in a timely manner. It also recommended ensuring that CEOs and CFOs are apprised of the company’s cybersecurity controls and procedures before making control certifications, as well as disclosing the extent to which the board of directors exercises oversight over the company’s cybersecurity program. And the letter noted that knowledge of cybersecurity incidents—or risks—may in and of itself be considered material non-public information, and warned against insider trading on such information.
On the heels of this guidance letter, the SEC underscored that it viewed cybersecurity disclosure violations as serious, sanctionable conduct when it announced in April 2018 a major enforcement action against Altaba (formerly Yahoo!) for its failure to properly inform investors about a cybersecurity breach. According to the SEC, Altaba’s information security team had been aware of the breach when it occurred in December of 2014, but the company did not disclose it to the public until 2016. While neither admitting or denying the findings of the SEC, Altaba agreed to pay a $35 million penalty for its failure to properly investigate and disclose the breach.
Renewed Interest in Cybersecurity Disclosure
After the Altaba enforcement action, the SEC’s public focus on cybersecurity risk and incident disclosure appeared to have dissipated. But that all changed on June 11, 2021, with the SEC’s announcement of the proposed new cybersecurity disclosure rule. This is a major step, considering that cybersecurity disclosures as of now do not have a rule of their own, but are instead governed by the SEC’s general disclosure rules. The Office of Information and Regulatory Affairs currently describes the “Cybersecurity Risk Governance” rule as intended to “enhance issuer disclosures regarding cybersecurity risk governance,” but the rule-making process is still in the preliminary “Proposed Rule Stage,” so don’t expect any details yet. The SEC is expected to issue a Notice of Proposed Rulemaking (“NPRM”) in October 2021. That means the SEC will issue a substantive draft of the rule, at which point the public will be able to review and offer comments to assist the SEC in crafting a final version.
Only a few days after announcing the new proposed rule, the SEC issued a press release reporting charges and a settlement of its second major cybersecurity disclosure enforcement action. According to the SEC’s order, from as early as 2014, real estate settlement services company First American Financial Corporation had experienced a vulnerability in its website that exposed millions of documents with sensitive consumer information to the public. The SEC order indicates that First American finally reported the incident to the SEC after a journalist alerted its senior executives to the issue in May 2019, even though First American’s information security team had identified the vulnerability months earlier in December 2018. Because the information security team failed to inform the company’s senior executives or remediate the vulnerability at the time it was discovered, the SEC faulted First American for failing to maintain controls to ensure that material information relating to the vulnerability would be disclosed. Without admitting or denying the SEC’s claims, First American agreed to a cease-and-desist order and to pay a $487,616 penalty. This action is significant for a number of reasons: not only does this signal renewed attention to cybersecurity disclosures at the SEC, but also a willingness to hold entities accountable for failures to disclose known risks or vulnerabilities, even in the absence of an actual data breach. It also serves as a potent reminder that because public companies have an obligation to disclose known material cybersecurity risks, they must implement internal reporting processes that will ensure that management learns of any such risks.
Finally, to top off the busy month, the SEC took major action relating to the SolarWinds supply-chain attack. As we’ve written about previously, the SolarWinds attack had a massive reach and potentially compromised the IT of thousands of U.S. businesses.[i] In a somewhat unusual move, the SEC mailed out a bevy of investigative letters to the companies potentially affected, requesting that they report to the agency their efforts to identify and disclose any incidents or risks associated with the attack. Although it is unclear exactly where the SEC’s investigation will lead, in exchange for candid disclosure from companies, the SEC has offered amnesty for would-be violations relating to the attack. Conversely, according to reporting on the subject, the SEC advised that failure to cooperate may result in enforcement with “heightened penalties.” Given that the SolarWinds attack is just one of many recently-disclosed, high-profile supply chain attacks, it would not be surprising to see the SEC undertake similar efforts and expect affected public companies to make disclosures related to those supply-chain attacks.
Looking to the Future
These three actions make it clear that the SEC is once again focused on cybersecurity disclosure enforcement. So what should companies do now? Until the SEC issues its NPRM in October, it is hard to say exactly what will be expected of companies. But for now, the SEC’s 2018 guidance offers the best insight into the agency’s expectations, so companies should ensure they are familiar with its contours.
This includes keeping a keen eye towards ensuring that employees err on the side of reporting cybersecurity risks or incidents up the chain of command, including to legal personnel who can help determine whether they should be disclosed. Indeed, the First American enforcement demonstrates that a cybersecurity incident or risk may be identified by IT employees, but not elevated to management due to inadequate reporting processes. Encouraging employees to liberally report cybersecurity incidents or risks can help prevent this from happening. In light of the persistent and growing prevalence of cybersecurity incidents, issuers and registrants should also ensure that they are periodically monitoring and testing their data security systems to identify and remediate any weaknesses.
As the SEC continues to be active in this area, we will continue to report on any major developments.