We continue our year-end review of SEC enforcement activity and turn our attention to a topic grabbing seemingly daily headlines across multiple industries: cybersecurity. As the risks – and realities – of cyberattacks increase around the world, the SEC continues to prioritize cybersecurity for the Divisions of Examinations and Enforcement. Although standalone SEC enforcement actions related to cybersecurity risks and disclosures remain a small fraction of the Enforcement Division's overall filed actions, enforcement trends and proposed rulemaking point toward heightened activity in the space in the years to come.
Most of the agency's enforcement activity to date has focused on regulated entities such as investment advisers and broker-dealers. These entities are subject to specific cybersecurity-related obligations, such as Regulation S-P (Safeguards Rule) and Regulation S-ID (Identity Theft Red Flags Rule). While we look forward to unpacking the SEC's cybersecurity activity in the regulated entity space in the coming weeks, this blog's focus is on the SEC's 2021 cybersecurity enforcement activity related to public company issuers and looks ahead to FY 2022 enforcement.
SEC Guidance and Rules around Cybersecurity Disclosure
In contrast to regulated entities, there are no specific cybersecurity-related disclosure regulations for public companies at this time. In October 2011, the SEC's Division of Corporation Finance issued its views regarding disclosure obligations relating to cybersecurity risks and incidents. Then, in February 2018, the SEC issued formal guidance regarding issuers' cybersecurity disclosure obligations on the heels of rampant ransomware infections1 and key infrastructure hacks in 2017.2 The agency highlighted that, given the frequency, magnitude and cost of cybersecurity incidents, issuers must inform investors about material cybersecurity risks and incidents.3 Importantly, the SEC emphasized that the same disclosure rules that govern issuer disclosure of material events, risk factors, events, trends and uncertainties for the company generally, control for cybersecurity-related disclosures specifically (such as Item 303 of Regulation S-K). Additionally, issuers need to adopt and maintain sufficient disclosure controls and procedures (DCP) under Rule 13a-15(a) of the Exchange Act4 "to ensure that relevant information about cybersecurity risks and incidents is processed and reported to the appropriate personnel, including up the corporate ladder, to enable senior management to make disclosure decisions and certifications…"
SEC FY 2021 Cybersecurity Enforcement Activity
Given this context, the SEC's cybersecurity enforcement activity in FY 2021 is worth highlighting. Although the agency has long stressed cybersecurity as a priority for public companies, prior to FY 2021, the SEC had only filed one matter against a public company for cybersecurity-related disclosure failures.5 Yet, over the last seven months of 2021, the agency charged two issuers with cybersecurity-related violations.
First, in June 2021, the SEC filed an enforcement action against First American Financial Corporation. In 2019, a cybersecurity journalist notified the company that it had a vulnerability exposing 800 million title and escrow document images, which included sensitive personal information. In response, the company issued a report on Form 8-K and attached a statement concerning its ongoing investigation into the reported cyber incident. At the time the company issued the statement, however, First American's senior executives did not know that the company's information security personnel had identified the vulnerability several months earlier, or that the company failed to remediate the issue. The order found that First American failed to maintain DCP designed to ensure that the company's senior management received relevant information about the identified vulnerability or lack of remediation. Without admitting or denying the findings in the order, First American agreed to a cease-and-desist order and a $487,616 civil monetary penalty. For more details on the SEC's action against First American, please see Holland & Knight's alert discussing the case (June 22, 2021).
Second, the SEC filed an enforcement action against Pearson plc, a London-based educational services company. The order alleges that Pearson knew about a server breach that led to the theft of student records and other data. In a media statement, Pearson referred to the breach as a hypothetical when the breach, in fact, had occurred and claimed that it had "strict protections" in place to prevent such a breach when it had known about the vulnerability that led to the breach for six months. The company's knowledge of the cyber incident combined with the hypothetical risk disclosure harkens back to the agency's only other cybersecurity action against a public company issuer: the agency's 2018 case against Altaba, Inc. f/d/b/a Yahoo! Inc. As in Yahoo, without admitting or denying the findings, Pearson agreed to cease and desist from violating the negligence-based antifraud provisions of the Securities Act of 1933 and the Exchange Act reporting and DCP provisions.
A Look Ahead to FY 2022 SEC Cyber Enforcement Against Issuers
Since the issuance of the SEC's 2018 Guidance, the importance of all things cyber has only increased, as fully remote and hybrid work arrangements continue, and the COVID-19 pandemic accelerates the corporate world's shift to digital. These factors have contributed to a brighter spotlight on issuers' cybersecurity disclosures. In September 2021, during a hearing before the Senate Committee on Banking, Housing, and Urban Affairs, SEC Chairman Gary Gensler said "today's investors are looking for consistent, comparable, and decision-useful disclosures around . . . cybersecurity."6 Gensler's remarks also foreshadowed a rule proposal regarding cybersecurity risk governance, including "cyber hygiene and incident reporting." With the chairman and the Division of Enforcement particularly focused on cybersecurity, companies can expect increased scrutiny of their digital systems and related disclosures in 2022, a trend that is unlikely to slow as the digital infrastructure of companies continues to grow. Moreover, the SEC's action against First American is a signpost that the agency will look to expand its enforcement activity in this space to controls-related violations as opposed to cyber actions principally based on false and misleading statements. This should serve as a reminder to issuers to establish, maintain, monitor and test policies and procedures that ensure details about cybersecurity risks and incidents are communicated to the appropriate executives.
As the SEC continues to pursue actions in this space, SECond Opinions will provide updates on noteworthy developments.
1 E.g., Nicole Perlroth & David E. Sanger, "Hackers Hit Dozens of Countries Exploiting Stolen N.S.A. Tool," The New York Times, May 12, 2017; Jeremy Ashkenas & Adam Pearce, "Animated Map of How Tens of Thousands of Computers Were Infected With Ransomware," The New York Times, May 12, 2017.
2 See Andy Greenberg, "Hackers Gain Direct Access to US Power Grid Controls," Wired, Sept. 6, 2017.
3 The SEC's guidance also highlighted the importance of having policies and procedures in place to protect against corporate insiders from taking advantage of the period between the company's discovery of a cybersecurity incident and public disclosure of the incident. Not surprisingly, the SEC's guidance predated the SEC's enforcement action against a former Equifax executive who traded in advance of the company's announcement about a massive data breach.
4 Disclosure controls and procedures are defined under Exchange Act Rule 13a-15(e) as "controls and other procedures of an issuer that are designed to ensure that information required to be disclosed by the issuer in the reports that it files or submits under the [Exchange Act] is recorded, processed, summarized and reported within the time periods specified in the Commission's rules and forms." These controls and procedures include those that are "designed to ensure that information required to be disclosed by an issuer in the reports that it files or submits under the [Exchange Act] is accumulated and communicated to the issuer's management…to allow timely decisions regarding required disclosure."
5 The SEC also issued a Report of Investigation pursuant to Section 21(a) of the Exchange Act regarding business email compromises and related internal accounting control requirements.
6 Testimony Before the United States Senate Committee on Banking, Housing, and Urban Affair, U.S. Securities and Exchange Commission, Sept. 14, 2021.