By now, it’s well known that there is a new sheriff in town at the U.S. Securities and Exchange Commission and Gary Gensler’s SEC has already left its mark as a tough regulator. Perhaps nowhere is the contrast between former SEC Chair Jay Clayton’s Division of Enforcement and that of Chair Gensler more apparent than in the cybersecurity space. Just three years ago, then Co-Enforcement Director Stephanie Avakian stated that the SEC would not “second-guess reasonable, good faith disclosure decisions” concerning cybersecurity incidents. The SEC’s recent cybersecurity enforcement efforts, however, should serve as a warning to public companies and SEC registrants that the agency is scrutinizing the efficacy of cybersecurity disclosure controls and procedures, especially where sensitive personally identifiable information (PII) is compromised without appropriate remediation, escalation, and disclosure. These efforts have included five separate enforcement actions for deficiencies in cybersecurity disclosure controls and procedures and a massive cybersecurity “sweep” requesting information from hundreds, if not thousands, of companies related to the SolarWinds compromise.
This article highlights key takeaways from the SEC’s enforcement actions, summarizes the SEC’s recent enforcement efforts, and concludes with best practices for cybersecurity policies and procedures.
Key Takeaways from the SEC’s Recent Enforcement Actions
Although the SEC has always reviewed disclosures related to cybersecurity incidents carefully, and generally does not punish companies for their good faith judgment concerning those disclosures, its recent enforcement actions are of note because they have focused on the efficacy of companies’ cybersecurity disclosure controls and procedures. These actions presented certain facts which the SEC’s Division of Enforcement is likely to deem key to bringing an enforcement action, including:
- A lack of disclosure controls and procedures designed to ensure that information about the incidents is appropriately escalated to senior management and others responsible for conducting materiality and disclosure analyses, a failure to tailor disclosure controls and procedures to the known risk that customer PII could be exploited, and/or a failure to follow existing disclosure controls and procedures; and
- Vulnerabilities, which exposed customers’ non-public PII, including Social Security numbers and financial information, were discovered by information security personnel months and even years before the companies took sufficient action to remediate and protect customer data.
A Busy Summer for the SEC’s Cybersecurity Enforcement Efforts
As noted earlier, the SEC has brought five enforcement actions concerning cybersecurity disclosure controls and procedures, and commenced the SolarWinds sweep, since June 2021.
- The Safeguards Rule Actions: On August 30, 2021, the SEC sanctioned eight SEC-registered investment advisers and broker-dealers in three separate enforcement actions alleging failures in cybersecurity policies and procedures in violation of the “Safeguards Rule,” Rule 30(a) of Regulation S-P (17 C.F.R. § 248.30(a)), which is designed to ensure that investment advisers and broker-dealers protect confidential customer information. All three cases involved unauthorized access to email accounts and exposure of customer data for periods of more than one year. The SEC censured the eight entities involved and imposed $700,000 in total civil penalties.
- Pearson plc: On August 16, 2021, the SEC filed a settled enforcement action against a publicly traded company that provides educational publishing and other services to schools and universities, imposing a notable $1 million civil penalty for what the agency characterized as misleading statements and omissions to investors about a 2018 cyber incident that resulted in the theft of millions of student records, which included non-public PII such as dates of birth.On the disclosure controls front, the SEC alleged that the company failed to maintain disclosure controls and procedures designed to analyze or assess the materiality of improper access to student data, resulting in a failure to escalate information about the incident to senior management and others responsible for making disclosure decisions.
- First American Financial Corporation: On June 14, 2021, the SEC filed a settled enforcement action against a publicly traded provider of title and escrow services, alleging cybersecurity disclosure controls failures and imposing almost $490,000 in civil penalties. The SEC alleged that the issuer’s information security personnel discovered a serious vulnerability, which exposed over 800 million images of customers’ non-public PII, but failed to remediate and escalate it for months. This failure to escalate information about the incident to senior management and others responsible for company disclosures caused the issuer to file an inaccurate Form 8-K about the incident. Moreover, the issuer lacked cybersecurity disclosure controls and procedures. This settlement marks the first time that the SEC imposed civil penalties in connection with an issuer’s deficient controls and procedures related to a cybersecurity incident.
- SolarWinds Inquiry: In mid-June 2021, the SEC’s Division of Enforcement commenced an enforcement sweep of hundreds, if not thousands, of public companies and other SEC registrants who were potentially impacted by the infamous SolarWinds compromise. Although this inquiry was voluntary, the SEC included precise requests concerning the impact of the SolarWinds compromise on each recipient, the recipient’s response to the SolarWinds compromise, and a broad request asking recipients to identify other compromises involving unauthorized access to the recipient’s computer systems by an external actor lasting longer than one day. The SEC’s sweep, which is ongoing, could be a massive effort by the agency to use one cybersecurity incident—i.e., the SolarWinds breach—to gather information on vulnerability detection, remediation, and disclosure in the cybersecurity space.
Cybersecurity Disclosure Controls and Procedures Best Practices
The recent slew of SEC enforcement actions make it clear that the SEC will not be lenient on companies that fail to adopt and implement specific disclosure controls and procedures related to cyber incidents. SEC registrants must closely adhere to the Safeguards Rule and public companies must follow the SEC’s February 2018 guidance on public company disclosure of cybersecurity risks and incidents. Among other things, public company controls and procedures should:
- Set forth steps to identify and investigate cybersecurity incidents;
- Assess and analyze the impact of the incident on the company’s business and customers;
- Ensure careful analysis of whether the cybersecurity incident is material, giving rise to disclosure obligations;
- Refer potentially material cybersecurity incidents to appropriate committees, including the disclosure committee, for assessment and analysis;
- Ensure that material cybersecurity incidents are reported to senior management and to the board of directors;
- Ensure that material cybersecurity incidents are disclosed to investors and that existing disclosures are reviewed and, if necessary, updated if new facts render them incorrect or misleading;
- Prescribe steps and deadlines to remediate incidents based on severity;
- Address circumstances under which trading restrictions should be imposed on company personnel who are in possession of material non-public information (MNPI) regarding the incident; and
- Provide for the issuance of a document preservation or litigation hold for material incidents or other incidents where the company anticipates litigation.