With the new leadership at the Securities and Exchange Commission, industry commentators expect the Division of Enforcement to be more aggressive in several arenas, including public company disclosure of cybersecurity incidents. While this has been a stated focus of the SEC for more than 10 years, enforcement cases relating to disclosure of cybersecurity incidents have historically been uncommon. Just in the past few months, however, the SEC filed two enforcement actions against public companies related to the timing and content of cybersecurity incident disclosures. These recent enforcement cases further signal the SEC’s continued focus into how public companies respond to and issue public disclosures for material cybersecurity incidents.
As discussed in this Cooley Securities Litigation + Enforcement blog post, neither of the SEC’s recent enforcement actions included allegations of intentional misconduct or any charges against individuals. Instead, in both cases, the SEC brought charges based on the companies’ alleged failure to maintain adequate disclosure controls and procedures, supplemented by negligence-based fraud charges in one of the cases. These cases reflect the SEC’s continued focus on accurate disclosures and robust disclosure controls in connection with cybersecurity incidents.
Recent enforcement actions
In June 2021, the SEC announced settled charges against real estate settlement services company First American Financial Corporation for disclosure control and procedure violations related to a cybersecurity vulnerability that exposed sensitive customer information. According to the SEC’s order, on May 24, 2019, First American was advised by a journalist that its application for sharing document images related to title and escrow transactions had a vulnerability that exposed “over 800 million title and escrow document images dating back to 2003, including images containing sensitive personal data such as social security numbers and financial information.” That evening, the company issued a statement to the journalist that First American had learned of the design defect, took immediate action to address the situation and disabled external access to the application.
On the next trading day, the company furnished a Form 8-K to the SEC stating that there was “[n]o preliminary indication of large-scale unauthorized access to customer information” and that it had “shut down external access to a production environment with a reported design defect that created the potential for unauthorized access to customer data.” However, unbeknownst to the company’s senior executives, the company’s information security personnel had identified the vulnerability in a report of a manual test of the application about five months earlier, but failed to remediate it in accordance with the company’s policies. Importantly, they also failed to apprise senior executives – including those responsible for making public statements – about the report, even though the information would have been “relevant to their assessment of the company’s disclosure response to the vulnerability and the magnitude of the resulting risk.” The company was found to have violated the requirement to maintain disclosure controls and procedures and ordered to pay a penalty of almost $500,000. (See this Cooley PubCo blog post for additional information on the First American charges).
Then, in August 2021, the SEC announced that it had settled negligence-based fraud and disclosure controls charges against Pearson, an educational services company headquartered in London. In March 2019, Pearson learned that millions of records of student data on its server had been accessed and downloaded by a threat actor using an unpatched critical vulnerability on the server. The software manufacturer had advised Pearson in September 2018 about this critical vulnerability in its software and the availability of a patch to fix it. Pearson, however, failed to implement the patch until after it had become aware of the attack by the threat actor.
Pearson did not immediately disclose the intrusion after it was identified. Three months after learning of the incident, Pearson submitted a filing to the SEC that contained a cybersecurity-related risk factor stating a hypothetical risk of a data privacy incident or other failure, again without disclosing the intrusion that had occurred. Then, when the media learned of the breach and contacted the company, Pearson issued a misleading public statement. The SEC found that in its statement Pearson inaccurately characterized the intrusion as “unauthorized access” when it was aware that the threat actor had actually removed data, and the company failed to disclose that the breached data included usernames and hashed (or scrambled) passwords of employees, as well as millions of rows of student data. Without admitting the SEC’s findings, Pearson agreed to settle the matter and pay a $1 million penalty. (See this Cooley PubCo blog post for additional information on the Pearson charges.)
Given the marked increase in its cybersecurity enforcement cases and the SEC’s aggressive stance on even unintentional conduct involving cybersecurity incidents and disclosures (as reflected by the fact patterns in such cases), below are some practical lessons and related steps public companies should consider taking when assessing the adequacy of cybersecurity disclosures, and disclosure controls and procedures in general:
1. Companies with awareness of past intrusions and vulnerabilities must carefully assess materiality and consider updates to risk factor disclosure on a timely and regular basis, as the SEC has made clear that a hypothetical risk factor regarding cybersecurity intrusions or vulnerabilities will not be sufficient if an intrusion or vulnerability has been identified and is deemed material.
As evidenced in the Pearson charges, risk factor disclosure that an event “could” occur when it has actually occurred will receive SEC scrutiny for being materially misleading. In finding that the Pearson’s risk factors were materially misleading, the SEC reasoned that the hypothetical risk factor filed by Pearson after awareness of the intrusion “implied that no ‘major data privacy or confidentiality breach’ had occurred,” when Pearson was well aware of the breach and “failed to consider how certain information about that breach should have informed this risk disclosure.”
In the case In re Alphabet Securities Litigation, the US Court of Appeals for the Ninth Circuit addressed the identification of hypothetical risk factors when the company was aware of an actual cybersecurity intrusion or vulnerability. The court found that Alphabet’s Form 10-Q incorporated the risk factor disclosures from its 2017 Form 10-K and had not been updated to disclose various significant security vulnerabilities that the company had discovered, specifically a vulnerability in its Google+ social network that left the private data of hundreds of thousands of users exposed to third-party developers for three years. The court held that the complaint filed against Alphabet contained a plausible allegation that Alphabet’s omission was materially misleading: Its risk factor discussion of cybersecurity was framed in the hypothetical, while, it was alleged in the complaint, the “hypothetical” events had in fact already occurred. The SEC previously brought an action on the same basis against Yahoo and specifically warned of the dangers of “hypothetical” risk disclosure in the context of stolen data and IP. (See this Cooley PubCo blog post for additional information on the In re Alphabet Securities Litigation case and concerns with hypothetical risk factors.)
2. When companies speak about cybersecurity incidents, they must carefully choose their words, and fully and accurately disclose the respective incidents and the impact of such incidents on the company’s business and financial results.
In the Pearson case, the SEC found that the company had made material omissions by failing to disclose all known features of the intrusion. Specifically, in providing its reasons for finding that the media statement made by the company was misleading, the SEC found, among other issues, that the statement had inaccurately characterized the intrusion as “unauthorized access” – when Pearson was aware that the threat actor had actually removed data, and the company failed to disclose that the removed data included employee usernames and hashed passwords, as well as millions of rows of student data. The order further found that Pearson had stated that it had “strict protections” in place and had “found and fixed the vulnerability” – when the server had been accessed through a “critical vulnerability,” and Pearson did not remedy the weaknesses for six months after learning of the breach. The SEC’s order highlights the importance of ensuring that any disclosure of a cybersecurity incident is adequate and accurate.
3. Companies should understand that their cybersecurity disclosure obligations may arise outside the context of actual cyberattacks and hacks. For example, a vulnerability may by itself trigger disclosure obligations, particularly if a company chooses to make a statement about that vulnerability.
In First American, the company’s software application for sharing document images related to title and escrow transactions had a vulnerability that exposed “over 800 million title and escrow document images dating back to 2003, including images containing sensitive personal data such as social security numbers and financial information.” Importantly, the case did not involve a third-party attack or actual data breach. Rather, it arose solely from an existing weakness in the company’s software application. The SEC found that the company did not have disclosure controls and procedures designed to ensure that all available, relevant information concerning the vulnerability was analyzed for disclosure – including that security personnel previously identified the vulnerability, but failed to remediate it.
4. Companies must have robust cybersecurity disclosure controls in place, and inform decision-makers of any potentially material cybersecurity incident or vulnerability in a timely manner, so management and the board can make disclosure decisions with knowledge of all pertinent facts – and information security personnel should be made aware of this requirement.
In First American, the company issued a public statement on the cybersecurity vulnerability as soon as the company’s senior executives were made aware. However, the SEC’s order found that the company’s information security personnel had identified the vulnerability in a report of a manual test of the application five months earlier, but failed to remediate it in accordance with the company’s policies. They also failed to apprise senior executives – including those responsible for making public statements – about the report, even though the information would have been “relevant to their assessment of the company’s disclosure response to the vulnerability and the magnitude of the resulting risk.”
Similarly, in the Pearson case, the SEC’s order found that the company’s processes and procedures around the drafting of its risk factor disclosures and media statement on the breach failed to inform relevant personnel of certain information about the circumstances surrounding the breach, and concluded that Pearson “failed in this way to maintain disclosure controls and procedures designed to analyze or assess such incidents for potential disclosure in the company’s filings.”
Both cases highlight the importance of maintaining disclosure controls and procedures properly designed to ensure that management and the board can analyze and assess cybersecurity incidents in order to make appropriate and accurate disclosure decisions.