SEC Enforcement Action Highlights Need for Internal Communications About Cybersecurity Problems

Matthew Bacal, Robert Cohen, and Joseph Hall are partners at Davis Polk & Wardwell LLP. This post is based on a Davis Polk memorandum by Mr. Bacal, Mr. Cohen, Mr. Hall, Greg Andres, Angela Burgess and Martine Beamon.

The Securities and Exchange Commission (SEC) announced a settled enforcement action on June 15 against a company for violating the requirement that public companies have controls and procedures to ensure that they make required disclosures in SEC filings. According to the SEC’s order, a cybersecurity journalist informed the company of a vulnerability in a proprietary application that the company used to store and share document images. The vulnerability exposed more than 800 million documents that contained sensitive personal information, although the SEC’s order did not say that anyone exploited the vulnerability to access the sensitive information. The company issued a statement for the journalist’s report the same day, and filed a Form 8-K four days later.

The SEC alleged that senior executives responsible for filing the 8-K were not aware that company personnel had identified the vulnerability months before, or that the issue was not remediated as company policy required. Unaware of that history, despite attending meetings with informed personnel, the senior executives did not evaluate whether to disclose the prior detection or the failed remediation. As a result, the SEC concluded that the company violated the disclosure controls rules, which require controls and procedures “designed to ensure that information required to be disclosed by the issuer in the reports that it files or submits . . . is recorded, processed, summarized and reported, within the time periods specified” in SEC rules. Without admitting or denying the SEC’s findings, the company agreed to pay a penalty of approximately $0.5 million. Demonstrating a recent increase in interagency cooperation on cybersecurity issues, the SEC acknowledged the assistance of the New York State Department of Financial Services, which previously filed a related enforcement action against the company. [1]

Takeaways

Although the SEC has filed few cases involving cybersecurity-related disclosures, this case shows the SEC’s willingness to bring enforcement actions to back up its recent guidance on this topic. Public companies may want to revisit the SEC’s 2018 guidance that the SEC expects disclosure controls to address cybersecurity risk and incidents:

When designing and evaluating disclosure controls and procedures, companies should consider whether such controls and procedures will appropriately record, process, summarize, and report the information related to cybersecurity risks and incidents that is required to be disclosed in filings. Controls and procedures should enable companies to identify cybersecurity risks and incidents, assess and analyze their impact on a company’s business, evaluate the significance associated with such risks and incidents, provide for open communications between technical experts and disclosure advisors, and make timely disclosures regarding such risks and incidents. [2]

The case also is noteworthy for the SEC’s decision to find a violation of the disclosure controls rules, which have been the subject of limited enforcement actions. [3] This may signal increased enforcement focus on internal controls requirements, even in the absence of a disclosure violation or actual harm.

Cybersecurity is a material risk for many companies, but risk profiles vary by industry and company. Finding the right balance of cybersecurity updates without overwhelming senior management with too much information is an increasingly important governance challenge for public companies. With the growing frequency of cybersecurity vulnerabilities and incidents, companies can expect increased government scrutiny after disclosure of a cybersecurity issue. This includes the SEC, which we expect will continue to bring enforcement actions in this area.

Endnotes

1See NYDFS Enforcement Action: Statement of Charges and Notice of Hearing to First American Title Insurance Company (Jul. 21, 2020) (available at https://www.dfs.ny.gov/system/files/documents/2021/03/ea20200721_first_american_notice.pdf).(go back)

2Commission Statement and Guidance on Public Company Cybersecurity Disclosures, 83 Fed. Reg. 8166, 8171 (Feb. 26, 2018) (available at https://www.sec.gov/rules/interp/2018/33-10459.pdf).(go back)

3In 2019, the SEC charged four companies with violating a different aspect of the rule, Rule 13a-15, that requires companies to have internal controls over financial reporting. See SEC Charges Four Public Companies with Longstanding ICFR Failures (Jan. 29, 2019) (available at https://www.sec.gov/news/press-release/2019-6).(go back)

Trackbacks are closed, but you can post a comment.

Post a Comment

Your email is never published nor shared. Required fields are marked *

*
*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>