by Francesca L. Odell, Rahul Mukhi, Tom Bednar, Nina E. Bell, and Greg Stephens
Left to proper: Francesca L. Odell, Rahul Mukhi, Tom Bednar, and Nina E. Bell (Photographs courtesy of Cleary Gottlieb Steen & Hamilton LLP) (Not Pictured: Greg Stephens)
The SEC pursued a number of high-profile enforcement actions in 2024, alongside issuing extra steering round compliance with the brand new cybersecurity disclosure guidelines.
Collectively these developments display a continued focus by the SEC on strong disclosure frameworks for cybersecurity incidents. Public corporations might want to bear these developments in thoughts as they proceed to grapple with cybersecurity disclosure necessities going into 2025.
The SEC’s cybersecurity disclosure guidelines turned efficient in late 2023, and 2024 marked the primary full yr of required compliance. The foundations added Merchandise 1.05 to Kind 8-Ok,[1] requiring home public corporations to reveal sure info inside 4 enterprise days of figuring out that they’ve skilled a fabric cybersecurity incident, together with the fabric features of the character, scope and timing of an incident and the fabric impression or fairly seemingly impression of the incident on the corporate.
The SEC targeted appreciable effort on offering extra steering on the way it expects corporations to adjust to the cybersecurity guidelines. After observing creating follow for six months, the SEC employees revealed 5 extra Compliance and Disclosure Interpretations (C&DIs) in June 2024, clarifying sure factors with respect to materiality determinations in reference to the foundations.
Erik Gerding, the outgoing Director of the SEC Division of Company Finance, additionally issued two statements on the time referring to disclosure of cybersecurity incidents. One assertion famous, in response to a number of corporations submitting Merchandise 1.05 Kind 8-Ks for incidents for which they’d not but made a materiality dedication or that they’d decided weren’t materials, that in these circumstances, corporations ought to as an alternative disclose the incident beneath a special merchandise of Kind 8-Ok (for instance, the catchall Merchandise 8.01), to permit traders to extra simply distinguish between incidents which were decided to be materials and those who haven’t.
Lastly, the SEC issued feedback to a number of corporations that had filed Merchandise 1.05 Kind 8-Ks. Nearly all of these feedback have been issued to corporations that, previous to the June 2024 steering, had disclosed incidents beneath Merchandise 1.05 that they’d not decided to be materials. Firms usually famous that they might contemplate that steering going ahead.
Cybersecurity incident response and associated disclosures remained a precedence for company enforcement all year long. Notably, this yr’s headline actions have been introduced primarily based on conduct occurring previous to the brand new Kind 8-Ok necessities taking impact. Moreover, the instances concerned both no-admit, no-deny settlements or allegations that haven’t been examined at trial. For additional dialogue, see An Lively 12 months in Enforcement, with Adjustments to Come.
Of specific word have been a settled enforcement motion in June in opposition to R.R. Donnelley (RRD), a Manhattan federal decide’s July resolution granting partially and denying partially SolarWinds’s movement to dismiss sure fees referring to a well known cyber assault in 2020, and newer enforcement actions and settlements in opposition to corporations that have been victims of cyber assaults. Whereas the SEC suffered a setback within the SolarWinds case, actions settled each earlier than and after that call demonstrated an urge for food to aggressively pursue what the SEC perceived to be insufficient disclosure controls or probably deceptive post-incident disclosures.
R.R. Donnelley Settles Insufficient Safety Alert Response Allegations
In July of 2024, enterprise communications and advertising and marketing companies firm R.R. Donnelley & Sons Co. agreed to pay $2.1 million to resolve an SEC investigation into alleged deficiencies in RRD’s disclosure controls and inside controls, each associated to a 2021 cyber assault. The SEC alleged that RRD didn’t allocate sufficient assets to handle alert monitoring studies produced by a contracted third social gathering monitoring service and didn’t adequately instruct the service supplier on escalation procedures.
Notably, the SEC was involved with RRD’s failure to take care of cybersecurity procedures and controls designed to escalate related aggregated safety alerts, along with confirmed incidents to administration personnel and disclosure decision-makers in a well timed method. This deal with failure to escalate alerts casts a a lot wider web for disclosure controls referring to basic anti-fraud provisions than incidents that may must be escalated for consideration of whether or not disclosure is required beneath Kind 8-Ok. With this in thoughts, registrants ought to analyze their whole incident response course of to find out if controls and procedures are in place to not solely detect materials incidents and potential safety occasions, but in addition to direct entrance line reviewers easy methods to appropriately escalate such info and to think about the materiality of incidents within the mixture.
The SEC additionally took challenge with RRD’s capability for responding to alerts. Highlighting a perceived incapacity to adequately handle the massive quantity of escalated alerts, the enforcement order alleged that “the employees members allotted to the duty of reviewing and responding to those escalated alerts had vital different obligations, leaving inadequate time to dedicate to the escalated alerts and basic threat-hunting in RRD’s surroundings.”[2] Registrants ought to contemplate whether or not their inside and exterior safety groups have adequate time and assets to dedicate to reviewing and probably escalating alerts. Firms must be ready to defend the adequacy of these staffing and resourcing selections primarily based on historic wants.
Dismissal of Most SEC Claims Associated to SolarWinds
SolarWinds Corp. suffered a major cyber assault dubbed “SUNBURST” that was found in December 2020. The assault corrupted the safety of SolarWinds’ software program merchandise, leading to subsequent safety incidents that impacted SolarWinds clients, together with the federal authorities, sure state governments and lots of Fortune 500 corporations. The SEC filed a grievance in opposition to SolarWinds and its Chief Info Safety Officer in October 2023, alleging they made false statements in violation of the antifraud provisions of the federal securities legal guidelines, by touting the energy of their cybersecurity practices within the interval earlier than they realized of the SUNBURST incident, and by misleadingly minimizing the extent of the intrusion after it was found. The SEC additionally accused SolarWinds of getting such poor cybersecurity and incident reporting procedures that it constituted a violation of the inner controls and disclosure controls provisions of the securities legal guidelines.
In July 2024, a decide within the Southern District of New York dismissed the claims referring to the pre-incident media and disclosures, post-incident Kind 8-Ks, disclosure controls, and inside controls. The one declare that the district courtroom has permitted to proceed alleges that SolarWinds launched a Safety Assertion that materially misrepresented their inside entry controls. The SolarWinds resolution results in a number of necessary takeaways.
First, the choice strikes a blow in opposition to the SEC’s competition that cybersecurity controls are a part of the system of inside management over monetary reporting required by securities legal guidelines. The opinion contained persuasive logic that will frustrate an enchantment or additional makes an attempt at this line of argumentation in future SEC actions. Consequently, the SEC might refocus their efforts in the direction of disclosures and disclosure controls, as they’ve traditionally.
Second, the SolarWinds case serves as a reminder that corporations could be liable in an enforcement motion for public statements that aren’t contained in SEC filings and that will not even be meant for traders. Firms and boards of administrators ought to concentrate on what statements are made in advertising and marketing supplies, safety statements, ESG statements, and different public statements which might be a part of the “complete combine of data” obtainable to traders.
Third, courts might distinguish between extremely basic statements touting a powerful cybersecurity posture, which can be dismissed as mere puffery that’s not necessary to traders, and concrete statements about particular cybersecurity practices, which can provide rise to a fraud declare if an organization isn’t following these practices with consistency. Right here, the order dismissed claims associated to generic statements from SolarWinds that it “locations a premium on the safety of its merchandise” and “makes positive every thing is backed by sound safety processes” whereas declining to dismiss claims associated to statements reminiscent of SolarWinds’s illustration that its “password greatest practices implement the usage of complicated passwords that embrace each alpha and numeric characters.”
Fourth, the opinion highlights the significance of offering supplemental disclosures when the sufferer of a cyberattack determines extra materials details about the incident. An extra Kind 8-Ok filed by SolarWinds in January 2021 was cited within the opinion as proof of the corporate’s lack of fraudulent intent relating to any potential prior materials omissions. This level highlights the significance for corporations to file follow-up disclosures after a cyberattack, as acceptable, because the SEC highlighted within the Kind 8-Ok necessities.
Settlements With Victims of SolarWinds Assault
In October, the SEC introduced settled enforcement actions charging 4 corporations that skilled cyber intrusions attributable to utilization of contaminated SolarWinds software program. All 4 corporations have been concerned in IT companies and skilled safety incidents. The SEC alleged that two of the businesses materially misled traders as a result of they used the identical generic danger issue disclosures about potential cyber assaults as they did earlier than the breach. The opposite two corporations did present up to date post-breach disclosures, however the SEC alleged these disclosures have been deceptive by omission, as a result of the businesses allegedly downplayed the extent of the intrusions by omitting particulars that may have been materials to traders, reminiscent of the truth that the risk actor behind the breach was seemingly a state actor; the extent of the risk actor’s exercise in every firm’s surroundings; and the quantity and significance of the code that was exfiltrated. When thought-about along with the SolarWinds opinion, these actions present just a few takeaways price contemplating.
The SEC didn’t allege that any of the charged corporations’ cybersecurity practices violated the Alternate Act’s inside controls provisions. It’s unclear if this absence was attributable to coverage change on the SEC after the SolarWinds ruling or merely a mirrored image of factual variations between by the conditions. Alternatively, the SEC did allege failure to take care of correct disclosure controls in opposition to one of many corporations, asserting that it had no procedures to make sure that, within the occasion of a identified cybersecurity incident, info can be escalated to senior administration. Notably, many months elapsed between when the intrusion was found by first line safety alert critiques and when senior administration was alerted.
These actions in opposition to victims of cyber-incidents display the aggressive enforcement posture beneath Chair Gary Gensler’s SEC, regardless of losses on related factors on the movement to dismiss within the SolarWinds case. A dissenting assertion by Republican Commissioners Hester Peirce and Mark Uyeda, who additionally dissented from the vote to deliver the SolarWinds motion, shed some gentle on how issues might shift following the upcoming administration change. Calling this motion “Monday morning quarterback[ing],” the Republican Commissioners argued that these actions have been largely sufferer blaming, particularly when the businesses had disclosed the incidents and the SEC was nitpicking the standard of the disclosures. The dissent additionally argued that the statements or omissions at challenge wouldn’t really be materials to an inexpensive investor. We imagine it’s unlikely that these kind of instances will probably be introduced beneath the brand new administration of Chair-nominee Paul Atkins, with the brand new administration specializing in violations of the brand new disclosure guidelines and precise investor hurt.
Lastly, the settlements point out that the SEC will give heightened scrutiny to disclosures by corporations in sectors reminiscent of info expertise and knowledge safety, as a result of of their view cybersecurity breaches usually tend to have an effect on these corporations’ fame and talent to draw clients.
Flagstar Monetary Settlement
The Flagstar Monetary, Inc. settlement launched on December 16, 2024, supplies a sign of the kind of cybersecurity case the SEC is extra more likely to deal with beneath the following administration.[3] In a no-admit/no-deny settlement wherein Flagstar paid a $3.55 million penalty, the SEC alleged that Flagstar negligently made materially deceptive statements relating to the late 2021 “Citrix Breach” that resulted within the encryption of information, community disruptions, and the exfiltration of personally identifiable info for about 1.5 million people. The SEC took challenge with 2022 Flagstar filings representing that the corporate merely skilled unauthorized “entry” to its community and buyer knowledge when in actuality it was conscious that the breach disrupted a number of community techniques and exfiltrated delicate buyer knowledge. The SEC additionally objected to the corporate repeating generic danger issue disclosures concerning the potential for experiencing hacks after the corporate was already conscious of the cyber assault. Taken collectively, the SEC thought-about these notices to be deceptive. Notably, the Republican Commissioners didn’t dissent from the Order. This case illustrates the kind of instances the upcoming administration is extra more likely to pursue–these the place traders or clients might have been harmed and post-incident disclosures are materially deceptive each in downplaying incident severity in addition to omitting crucial info.
Firms ought to take care in deciding how and when to reveal cybersecurity incidents and in crafting disclosures concerning the potential impression of such incidents, together with on Kind 8-Ok and danger issue disclosure. Registrants might want to stability the SEC’s concern with over-disclosure beneath Merchandise 1.05 with the danger of enforcement actions ought to they fail to reveal info deemed by the SEC to be materials. Given the steering offered by the SEC, we usually count on registrants will err on the aspect of submitting protecting Merchandise 8.01 Kind 8-Ks for incidents they’re involved may turn into materials, however earlier than a definitive materiality conclusion has been reached, which has been the final follow following the SEC steering in June. Registrants that file an 8-Ok beneath Merchandise 1.05 with out describing any precise or anticipated quantitative or qualitative materials impression must be prepared to elucidate to the SEC employees their materiality evaluation and why they filed beneath Merchandise 1.05 and never Merchandise 8.01.
When getting ready their disclosure, registrants ought to contemplate components reminiscent of: whether or not the risk actor is probably going affiliated with a nation-state; whether or not, or the extent to which, the risk actor endured within the firm’s surroundings; and whether or not the corporate ought to disclose not solely the variety of information or quantity of buyer knowledge compromised, but in addition the significance of the information or knowledge and the makes use of that may be product of them. If the corporate seeks to quantify the impression of the intrusion, the SEC will seemingly scrutinize whether or not the corporate selectively disclosed quantitative info in a deceptive approach. Moreover, if the corporate quantifies the impression of the intrusion however is conscious of gaps in its investigation or within the obtainable knowledge that imply the severity of the impression may have been worse, the SEC might contemplate it deceptive to not disclose these info.
Seeking to the longer term, the current dissents by the Republican Commissioners point out a chance of company focus shifting to a much less granular idea of materiality in disclosures. We count on the SEC will deal with conditions like that in Flagstar, the place there’s potential for investor hurt, somewhat than dissecting post-incident studies and firm processes. That being stated, beneath the final Trump Administration, the SEC introduced numerous blockbuster cyber incident disclosure instances in opposition to Yahoo and others, which, mixed with the brand new guidelines, behooves registrants to concentrate to disclosure and associated insurance policies and procedures.
[1] The ultimate guidelines additionally amended Kind 6-Ok so as to add “cybersecurity incidents” as a reporting matter for international personal issuers.
[2] See “Within the Matter of R.R. Donnelley & Sons Co.” (June 18, 2024), obtainable right here.
[3] See SEC Administrative Proceedings, “SEC Prices Flagstar for Deceptive Buyers About Cyber Breach” (December 16, 2024), obtainable right here.
Francesca L. Odell, Rahul Mukhi, and Tom Bednar are Companions, Nina E. Bell is a Capital Markets Legal professional, and Greg Stephens is an Affiliate at Cleary Gottlieb Steen & Hamilton LLP. This submit first appeared on the agency’s web site.
The views, opinions and positions expressed inside all posts are these of the writer(s) alone and don’t symbolize these of the Program on Company Compliance and Enforcement (PCCE) or of the New York College College of Legislation. PCCE makes no representations as to the accuracy, completeness and validity or any statements made on this website and won’t be liable any errors, omissions or representations. The copyright of this content material belongs to the writer(s) and any legal responsibility with reference to infringement of mental property rights stays with the writer(s).
