Cybersecurity and Disclosures

Paul Ferrillo is partner at Seyfarth Shaw LLP; Bob Zukis is Adjunct Professor of Management and Organization at the USC Marshall School of Business; and George Platsis is Senior Lead Technologist at Booz Allen Hamilton. This post is based on a memorandum authored by Mr. Ferrillo, Mr. Zukis, Mr. Platsis, and Christophe Veltsos.

 “The Vulcan mind meld, also known as the mind link, mind probe, mind fusion, mind touch, or simply meld, was a telepathic link between two individuals. It allowed for an intimate exchange of thoughts, thus in essence enabling the participants to become one mind, sharing consciousness in a kind of gestalt.” [1]

—The Star Trek definition of “Mind Meld”

The United States Securities and Exchange Commission (SEC or Commission) recently issued two critical Consent Orders, First American Title [2] and Pearson, [3] both articulating the need for timely, fulsome, and accurate disclosures to the market when a data breach occurs. These two Consent Orders are the first precedents that offer guidance on what the SEC is expecting on cybersecurity risk related to what the board needs to know, when they need to know it and when they need to disclose it.

When you “mind meld” First American Title and Pearson, you sense the enforcement mantra from the SEC: cybersecurity disclosure obligations, under the 1934 Act, must be made in a timely and accurate manner. When you add a strong incident response plan with the 2018 cybersecurity guidance the result is a full set of guiding principles for cybersecurity disclosures that should be referred to in the case of a material breach or ransomware attack. For the first time since cybersecurity first came onto the SEC’s radar screen in 2011 cybersecurity disclosure can no longer be perceived as a “mystery” by registrants. These precedents offer “just in time” guidance given the worsening cybersecurity climate and a never-ending series of nation-state attacks and ransomware attacks. Here is how we view the landscape after recent SEC actions.

The 2018 SEC Cybersecurity Guidance Lays the Groundwork

The 2018 SEC Cybersecurity Guidance [4] addressed several critical cybersecurity risk disclosure practices public companies must address. [5] The SEC stated “…it is critical that public companies take all required actions to inform investors about material cybersecurity risks and incidents in a timely fashion.” [p. 4 of the 2018 Guidance][emphasis supplied]. The guidance also specifically addresses insider trading related to significant cybersecurity incidents and the need for policies and procedures to prevent this.

The SEC further stated that the key to these objectives is the “…development of effective disclosure controls and procedures…” [p. 5 of the 2018 guidance] and followed to say directors must be properly informed about the “…cybersecurity risks and incidents that the company has faced or is likely to face.” This requirement alone is noteworthy as it places a challenging burden on corporate directors.

In addressing materiality the SEC notes “In determining their disclosure obligations regarding cybersecurity risks and incidents, companies generally weigh, among other things, the potential materiality of any identified risk and, in the case of incidents, the importance of any compromised information and of the impact of the incident on the company’s operations. The materiality of cybersecurity risks or incidents depends upon their nature, extent, and potential magnitude, particularly as they relate to any compromised information or the business and scope of company operations. The materiality of cybersecurity risks and incidents also depends on the range of harm that such incidents could cause. This includes harm to a company’s reputation, financial performance, and customer and vendor relationships, as well as the possibility of litigation or regulatory investigations or actions, including regulatory actions by state and federal governmental authorities and non-U.S. authorities.”

This far-reaching materiality statement ties cybersecurity to systemic risk. The “range of harm” statement specifically addresses the interconnected nature of digital business systems and the systemic risk inherent within them. Put another way: risk can now easily traverse through and between enterprises. They also acknowledge the broad and compound range of impacts that cybersecurity can have from the extent of compromised and stolen data, to regulatory fines, reputational impact to financial impact.

The 2018 SEC Cybersecurity Guidance also addresses incident escalation through effective disclosure controls, giving a roadmap to the board on how to oversee cybersecurity risk. They note, “To the extent cybersecurity risks are material to a company’s business, we believe this discussion should include the nature of the board’s role in overseeing the management of that risk. In addition, we believe disclosures regarding a company’s cybersecurity risk management program and how the board of directors engages with management on cybersecurity issues allow investors to assess how a board of directors is discharging its risk oversight responsibility in this increasingly important area.”

Further Sharpening of the Disclosure Pencil: First American Title

FAF is a very large financial services company that has a large title insurance division (hereinafter the “Title Company”) which performs tens of thousands of transactions a year, thus collecting millions of pieces of information in the time. On or about May 24, 2019, cyber investigation journalist Brian Krebs notified the Title Company [5] that its internet-facing, web-enabled application used to share document images had a vulnerability that potentially exposed more than 800 million real estate and title documents to the public, including images containing sensitive personal information like social security numbers and personal financial information. [6]

The company shortly thereafter issued a press release and disclosure to the SEC through Form 8-K. However, unbeknownst to both the board and senior management (who were responsible for filing the Form 8-K disclosure), the vulnerability, which dated back to 2014, was discovered by senior IT management in December 2018 and documented as “serious” in a security assessment report. Despite identifying and documenting the vulnerability, it was never remedied until Brian Krebs made his announcement. Based on these facts, including others and others related to the severity of the data exposure, the SEC noted in the consent order:

Accordingly, the senior executives responsible for the company’s statements in May 2019 did not evaluate whether to disclose the company’s prior awareness or (lack of) actions related to the vulnerability because they were not aware of the January 2019 report.

Unbeknownst to these senior executives, the company’s information security personnel did not remediate the vulnerability but were still held liable to respond to it.

Indeed, subsequent to the May 28, 2019, Form 8-K, the company’s information security personnel determined that the vulnerability had, in fact, existed since 2014. Because the critical vulnerability was not escalated, the senior executives lacked the information required to fully evaluate the company’s cybersecurity responsiveness and risk. Thus, the SEC noted as of May 24, 2019, First American did not have any disclosure controls and procedures related to cybersecurity, including incidents involving potential breaches of that data. It concluded:

As a result of the conduct described above, First American violated Exchange Act Rule 13a-15(a) [17 C.F.R. § 240.13a-15], which requires every issuer of a security registered pursuant to Section 12 of the Exchange Act to maintain disclosure controls and procedures designed to ensure that information required to be disclosed by an issuer in reports it files or submits under the Exchange Act is recorded, processed, summarized, and reported within the time periods specified in the Commission’s rules and forms. See SEC Cease and Desist Order in FAF [7]

In the accompanying press release, the SEC noted: “As a result of First American’s deficient disclosure controls, senior management was completely unaware of this vulnerability and the company’s failure to remediate it,” said Kristina Littman, Chief of the SEC Enforcement Division’s Cyber Unit. “Issuers must ensure that information important to investors is reported up the corporate ladder to those responsible for disclosures.” (emphasis added).

Pearson

The Commission’s consent order settling the Pearson cybersecurity enforcement matter builds upon the 2018 SEC Commissioners Cyber guidance, as well as the Consent order in First American.

According to the SEC, Pearson made “material misstatements” and omissions regarding a 2018 cyber intrusion that affected several million rows of student data across 13,000 school, district, and university customer accounts in the United States. In a July 26, 2019 report furnished to the Commission, Pearson’s risk factor disclosure implied that Pearson faced the hypothetical risk that a “data privacy incident” “could result in a major data privacy or confidentiality breach” but did not disclose that Pearson had in fact already experienced such a data breach. On July 31, 2019, approximately two weeks after Pearson sent a breach notification to affected customers – in response to an inquiry by a national media outlet – Pearson issued a previously-prepared media statement that also made misstatements about the nature of the breach and the number of rows and type of data involved.

Importantly the SEC rang the bell on two important issues, including one on materiality, a topic on which the SEC previously had not written a lot about. Specifically, the issue of materiality was approached from an operational and breach perspective. Here, the SEC noted in the Consent Judgement,

The breach at issue was material because Pearson’s business, including but not limited to AIMSweb 1.0, involved collection and storage of large quantities of private data on school-age children around the world. As Pearson acknowledged in its risk disclosures, Pearson “holds large volumes of personally identifiable information,” and its reputation and ability to attract and retain revenue depended in part on its ability “to adequately protect personally identifiable information.” This breach involved a compromise of a server holding a large quantity of data Pearson was responsible for protecting and exfiltration of a significant number of student names, dates of birth, and email addresses, and school administrator login credentials. It also involved lapses in Pearson’s protection of that data.

In light of the reporting deficiencies noted above, the SEC, somewhat similar to its First American consent order, concluded:

Pearson’s processes and procedures around the drafting of its July 26, 2019 Form 6- K Risk Factor disclosures and its July 31, 2019 media statement failed to inform relevant personnel of certain information about the circumstances surrounding the breach. Although protecting student and user data is critical to Pearson’s business, and Pearson had identified the potential for improper access to such data as a significant risk, it failed in this way to maintain disclosure controls and procedures designed to analyze or assess such incidents for potential disclosure in the company’s filings. (emphasis supplied).

A Fulsome Incident Response Plan is Essential

Though we are not familiar with the incident response plans in the above cases, we are for certain that it is important for every company to have a fulsome incident response that is practiced and tested before a breach or cyber-attack happens.

One of the factors of a good incident response plan (that plays well into disclosure control issues) is making sure breach information rises to the board and senior management level, something that is often captured in a well-designed crisis management plan. Well-designed plans include a strong understanding of risk and criticality, a mechanism for escalation, and the ability to assist in the decision-making process. The decision-making process is not limited to tactical and technical responses. The decision-making process includes when to notify stakeholders, what types of communications must be released, who needs to make them, and of course, what needs to be disclosed to regulatory bodies and when.

Furthermore, outside of an incident or crisis, good planning also includes a mechanism to escalate vulnerabilities, ensuring senior management and board awareness. It is good practice for the senior management and board to be aware of critical vulnerabilities as the risk being taken on, as that risk may require that senior set of “eyes on” to be signed off and captured in the risk register as an exception until it is remediated. Indeed, these could be cases where compensating controls may need to be instituted as well. Bluntly, for risk to be best managed, the managers need to be aware of the risk.

The Mind-Meld — Putting it all Together

Here is how we interpret the 2018 SEC Commissioner’s guidance on cybersecurity and the SEC’s actions on First American, and Pearson:

The What and When of Disclosure

Not every breach or incident rises to a level of materiality that requires boardroom involvement or disclosure. However, given the tendency for breaches to grow in scope and impact as they are investigated, especially with regard to their systemic impacts, incident response plans need to be well thought out. And information needs to escalate quickly to the C-Suite and the board of directors, especially in a data rich company like Pearson.

Risk appetite and risk tolerance need to be understood, and quantification of cyber risk needs to take place. One of the challenges here is that materiality as defined by the SEC is not a quantified concept. The stronger an organization’s approach to cyber risk economics, the easier it will be to understand financial materiality but that’s only one part of materiality as the Commission noted in Pearson. Governing and managing cyber risk like any other financial risk is not only possible, but it’s necessary.

Estimating and Quantifying cyber risk

The 2018 SEC guidance says “…we expect companies to disclose cybersecurity risks and incidents that are material to investors, including the concomitant financial, legal, or reputational consequences.”

Quantifying breaches, or ransomware attacks becomes much more difficult when third-party risk and supply chains come into play as well. That is, does the breach also impact your customers, suppliers or others? We have seen over the past 6 months malware and ransomware attacks that affect not one company, but many, and often at the same time.

CISO’s and boards need to have a well-defined understanding of the nature of an incident and its far reaching financial, reputational, and legal impacts in order to assess materiality. Without this, boards either get nothing, or instead everything gets disclosed which is not an acceptable approach.

Once an incident response plan defines the parameters of boardroom reporting, regular incident reporting is needed. And regularity is defined and dictated by the threat environment facing the organization. Boards can only react to the information that reaches them, and the information needs to be in the right context to determine materiality. Effective disclosure controls and procedures are not possible without this level of understanding.

In terms of disclosure, accept that time is not your friend. Assuming the risk is deemed material, you may only have days – not weeks – to disclose, especially in the case of a breach. In many cases, 72 hours or less is a good marker, and several state law disclosure regimes have this requirement.

We do not have a crystal ball that would allow us to predict which enforcement actions the SEC will undertake next. However, having peeked into two recent — and successful — cases brought forward by the SEC, we feel confident in saying that, for publicly traded companies, there is an urgent imperative for the board of directors and management to revisit, no, to critically review, their organization’s risk controls and their playbook for responding to and communicating clearly about the inevitable next cybersecurity incident.

Endnotes

1See definition of “Mind Meld,” available at https://memory-alpha.fandom.com/wiki/Mind_meld(go back)

2See SEC Charges Issuer With Cybersecurity Disclosure Controls Failures, available at https://www.sec.gov/news/press-release/2021-102(go back)

3See SEC Charges Pearson plc for Misleading Investors About Cyber Breach, available at https://www.sec.gov/news/press-release/2021-154(go back)

4https://www.sec.gov/rules/interp/2018/33-10459.pdf(go back)

5The 2018 guidance followed to two cybersecurity events, the Equifax breach of July 2007, and the Yahoo enforcement decision and consent order in April 2018. See Altaba, Formerly Known as Yahoo!, Charged With Failing to Disclose Massive Cybersecurity Breach; Agrees To Pay $35 Million, available at https://www.sec.gov/news/press-release/2018-71. (go back)

6See Press Release, SEC Charges Issuer With Cybersecurity Disclosure Controls Failures, available at https://www.sec.gov/news/press-release/2021-102.(go back)

Trackbacks are closed, but you can post a comment.

Post a Comment

Your email is never published nor shared. Required fields are marked *

*
*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>