Recent SEC Cyber-Related Enforcement Actions Emphasize the Importance of Robust Disclosure Controls

Skadden Publication / SEC Reporting & Compliance Alert

Anita B. Bandy Brian V. Breheny Raquel Fox William E. Ridgway David A. Simon Khadija L. Messina

On October 22, 2024, the Securities and Exchange Commission (SEC) announced enforcement actions against several technology companies for making materially misleading disclosures regarding cybersecurity risks and intrusions. One company was also charged with disclosure controls violations.

The enforcement actions reinforce that companies should:

  • Carefully consider updating disclosures in the wake of cybersecurity incidents, particularly when a company’s risk profile changes as a result of an incident.
  • Maintain policies and procedures to facilitate prompt escalation of cybersecurity incidents to disclosure decision-makers.
  • Understand the SEC’s view of materiality and avoid minimizing cybersecurity incidents in disclosures.

The charges against the companies are the result of the SEC’s investigation of public companies potentially impacted by the SolarWinds’ Orion software vulnerability and other related activity. The penalties in the enforcement actions range from $990,000 to $4 million.

Notably, two SEC commissioners issued another strong dissenting statement to these actions. We anticipate that a new SEC administration will take a different approach to cyber-related enforcement actions.

The SEC’s Arguments Supporting the Disclosure Charges and the Disclosures at Issue

The alleged misleading disclosures fall into one of two buckets: (i) the disclosures mentioned a cybersecurity incident but omitted material information; or (ii) the disclosures remained largely the same after the cybersecurity incident and did not reflect new and realized cybersecurity risks.

Omission of Material Information

In the first category, the SEC highlighted that certain company disclosures omitted material information known to the company about the scope and potential impact of the incident at the time of the filing, including that a nation-state threat actor was likely responsible for the incident, the long-term unmonitored presence of the threat actor in the company’s systems, and other actions taken by the threat actor.

In the case of another company in the same category, the SEC alleged that the company created a materially misleading picture of the cybersecurity compromise by quantifying certain aspects of the compromise but negligently failing to (a) disclose the large number of impacted customers; (b) describe the nature of the exfiltrated code; and (c) quantify the amount of exfiltrated source code, particularly given that a large percentage of three types of source code were exfiltrated.

Failure To Update Disclosures for Known Risks

In the second category, the SEC alleged that the company’s cybersecurity risk profile had changed materially, but the company’s public filings included cybersecurity risk-factor disclosures that were virtually unchanged from prior public filings and omitted new and material cybersecurity risks arising from the cybersecurity compromise. The same company’s disclosures also described the existence of intrusions in generic terms only.

In the case of another company in the same category, the SEC alleged that the company made materially misleading statements by making cybersecurity risk disclosures that were not sufficiently tailored to the company’s particular risks and incidents. This included describing intrusions and the risk of unauthorized access in hypothetical terms. The company’s disclosures were also allegedly misleading because the company’s cybersecurity risk profile changed materially due to the incidents, but the company’s disclosures were substantially the same before and after the incidents. In the case of this company, the SEC also stated that the company did not have controls and procedures designed to ensure that its disclosure decision-makers received and reviewed information about cybersecurity incidents that might be required to be disclosed, which contributed to the company’s materially misleading risk-factor disclosures.

Takeaways

Determining Materiality

All of the SEC orders included language suggesting that when determining whether certain information about a cybersecurity incident is something a reasonable shareholder would consider important and therefore material, companies should consider whether, given the nature of their businesses, data protection is critically important to the company’s reputation and whether the company possesses potentially sensitive data that could be of great interest to state-sponsored threat actors.

Updating Risk-Factor Disclosures

When determining whether to update risk-factor disclosures after a cybersecurity incident, companies should evaluate whether the incident changes the company’s cybersecurity risk profile. A company’s cybersecurity risk profile may be changed if:

  • A persistent and reportedly nation-state-supported threat actor compromised the company’s environment.
  • A threat actor persisted in the company’s environment unmonitored for an extended period of time.
  • An investigation of malicious activity resulted from technology gaps that prevented the company from identifying the full scope of the compromise (e.g., network and cloud logs are unavailable).

Disclosure Controls and Procedures

Companies should revisit existing disclosure controls and procedures for SEC filings and assess whether current controls are sufficient to make timely materiality determinations and to capture and report cybersecurity-related information accurately and comprehensively.

  • This may include reviewing and enhancing internal processes and procedures to identify, escalate and disclose cybersecurity incidents to help ensure timely and accurate disclosures.
  • This review should also include an evaluation of (i) whether the company’s public disclosures are consistent across required filings and voluntary disclosures, (ii) whether statements regarding the company’s cybersecurity risk reflect the facts and circumstances known to the company at the time of disclosure, and (iii) whether any updates to existing disclosure may be required.

Dissenting Statement’s Preview of New SEC Administration

Commissioners Peirce and Uyeda issued their second dissenting statement within four months regarding a cybersecurity-related SEC enforcement action, signaling their continued disagreement with the SEC’s current approach to regulating cybersecurity-related disclosures and disclosure controls.

Below are key arguments from the dissent:

  • During the SEC’s 2023 rulemaking on cybersecurity incident disclosures, the commission stated that the disclosure of cybersecurity incidents should focus primarily on the impacts of the incident rather than on details regarding the incident itself; however, in the recent enforcement actions, the commission appears to be focusing on immaterial details about the incident.
  • The court in the SolarWinds case stated that “perspective and context are critical” to evaluating whether a Form 8-K is materially misleading because a filing is not misleading if the “disclosure, read as a whole, captured the big picture.” Many of the disclosures at issue in these recent actions, when read as a whole, convey the complete story about the cybersecurity risks the companies faced.
  • If the SEC does not exercise restraint, it could find a violation in every company’s risk disclosure because risk factors cover a wide range of topics and are inherently a disclosure of hypothetical events. This approach to regulation could cause companies to expand their risk disclosures with examples of immaterial events out of a fear of scrutiny.
  • The SEC needs to start treating companies subject to cyberattacks as victims of a crime, rather than perpetrators of one.

The Republican commissioners’ views will help shape the SEC’s priorities in a new administration. As a result, companies should be aware of two potential changes to the SEC’s approach to cybersecurity-related enforcement actions:

  • The SEC may take a less expansive view of materiality in cybersecurity actions and return to a principle-based approach of assessing materiality based on market indicators and investor harm (e.g., whether disclosure impacts stock, financial performance, or analyst views).
    • Also, the SEC is unlikely to expect companies to meet disclosure obligations by providing details that create a roadmap for potential cyber intruders.
  • The SEC may focus less on leveraging its controls-based statutory authority to charge public companies for failure to maintain reasonable internal disclosure and accounting controls relating to cyber intrusions given the litigation risks for the agency in pursuing aggressive theories.

This memorandum is provided by Skadden, Arps, Slate, Meagher & Flom LLP and its affiliates for educational and informational purposes only and is not intended and should not be construed as legal advice. This memorandum is considered advertising under applicable state laws.

BACK TO TOP