Recent SEC Enforcement Activity Highlights Issuers' Cybersecurity Disclosure Obligations and Pitfalls
The U.S. Securities and Exchange Commission (SEC) has continued to make cybersecurity disclosures an enforcement priority. Recent enforcement activity, summarized below, highlights these key points for SEC-regulated issuers:
- The SEC will closely scrutinize issuers' public statements and disclosures of a cybersecurity incident. Frequently used qualifiers in such disclosures—for example, stating that data "may have been compromised" when compromise was confirmed—could be considered misleading. Promoting the company's strong security practices without disclosing that an incident resulted from security control failures could be similarly problematic.
- Material misstatements in the cybersecurity space are not limited to those about confirmed data breaches. The SEC recently settled its first case finding that an issuer failed to adequately disclose a security vulnerability.
- Recent enforcement activity has emphasized the adequacy of issuers' disclosure controls as they relate to cybersecurity risks and incidents. Issuers must ensure that they have adequate controls in place to evaluate their cybersecurity risk landscape—looking not only at confirmed breaches but also at vulnerabilities and other issues that could lead to breaches—and to ultimately report and disclose material risks and incidents. Now is a good time to revisit the SEC's 2018 guidance on cybersecurity disclosures.
Pearson plc Settlement
Last week, the SEC announced a $1 million settlement with Pearson plc, an educational publishing and services company. The SEC's August 16, 2021, cease-and-desist order made findings related to a March 21, 2019, incident where Pearson learned that an attacker had accessed and downloaded millions of rows of data stored on a server supporting its AIMSweb 1.0 software.
The order found that Pearson failed to disclose this material cybersecurity breach in its SEC filings and made misstatements about the breach in a press statement. Specifically, the order found:
- First, with respect to Pearson's SEC filings: Several months after discovering the breach, Pearson issued a Form 6-K that referenced a general risk of data breach or other cybersecurity incident in the "Principal risks and uncertainties" section. The SEC found that this disclosure was misleading because the Form 6-K did not specifically reference the AIMSweb 1.0 breach.
- Second, with respect to a Pearson media statement: Although the company issued a media statement acknowledging and describing the AIMSweb 1.0 breach, the SEC found that the statement was misleading in several respects. The SEC's findings related to the media statement are noteworthy because the SEC took issue with various qualifiers and other language that is commonplace in many companies' descriptions of security breaches:
- The media statement referred to the incident only as "unauthorized access" and "expos[ure of] data," even though Pearson knew that the attackers had downloaded millions of rows of data from the compromised server;
- The statement said that the data "may include" birthdates and email addresses, even though the company knew about half of the exfiltrated records included birthdates and about 290,000 included email addresses;
- There was no mention of the volume of breached data; the statement did not disclose that millions of records were compromised; and
- The statement included the following language, versions of which are included in many breach notifications and disclosures: "Protecting our customers' information is of critical importance to us. We have strict data protections in place and have reviewed this incident, found and fixed the vulnerability." The SEC found this statement to be misleading because it made no mention of the unpatched critical vulnerability or the outdated hashing algorithm.
The SEC found that Pearson violated Sections 17(a)(2) and 17(a)(3) of the Securities Act (prohibiting the offering or sale of securities by means of material misstatements or omissions) and Section 13(a) of the Exchange Act (requiring foreign issuers to provide SEC filings that are accurate and not misleading), as well as of Exchange Act Rule 13a-15(a), which requires issuers to maintain disclosure controls and procedures designed to ensure that information required to be disclosed by an issuer in reports it files or submits under the Exchange Act is recorded, processed, summarized, and reported within the time periods specified by the SEC. The SEC did not charge Pearson with a violation of Exchange Act Rule 10b-5, proof of which requires evidence of intentional material misstatements or omissions.
The Pearson settlement illustrates that the SEC is scrutinizing public disclosures related to security incidents. Consequently, when making any public disclosure about a security incident, companies should take great care to craft their disclosures to accurately disclose the circumstances of the security incident, and consider if common qualifiers, generic statements, or other language might be construed as misleading.
The Pearson settlement also highlights the way the SEC examines the materiality of a data breach. The order found that the breach was material because it went to the heart of Pearson's business—collecting and storing large amount of student data and being trusted by its customers to do so securely.
First American Financial Corp. Settlement
The SEC's June 15, 2021, settlement with real estate settlement services company First American Financial Corporation (First American) provides insight into how the Commission may expand liability for issues related to cybersecurity disclosures. While the SEC has settled numerous cases alleging that issuers failed to disclose confirmed security breaches (such as with Pearson, above), First American is the Commission's first settlement arising from an alleged failure to adequately disclose a security vulnerability—namely, an issue with software that could be used by an attacker to compromise the issuer's computer systems.
In its June 15, 2021, cease-and-desist order, the SEC found the following:
- On May 24, 2019, a cybersecurity journalist notified First American that its EaglePro software application had a vulnerability exposing more than 800 million images of title and escrow documents dating back to 2003, including images containing sensitive personal data such as social security numbers and financial information.
- First American issued a statement for inclusion in the cybersecurity journalist's report published later in the day on May 24, 2019, and furnished a Form 8-K to the SEC several days later. First American's press statement noted that the company had taken "immediate action" to terminate external access to the exposed data.
- However, the senior executives at First American who were responsible for the press statement and Form 8-K were not made aware of some important information about the EaglePro application prior to making those disclosures. Specifically, they were not informed that the company's information security personnel had been aware of the vulnerability in EaglePro since January 2019 following a security test, or that the company had failed to timely remediate that vulnerability in accordance with its policies.
- The company's information security team had classified the vulnerability as "serious" in January 2019. Under First American's vulnerability remediation policies, the vulnerability either should have been remediated by early May—before First American was contacted by the journalist—or the company's chief information security officer ("CISO") should have been notified. Neither of those things occurred.
According to the SEC's order, information about the January 2019 findings "would have been relevant to management's assessment of the company's disclosure response to the vulnerability and the magnitude of the resulting risk," including whether to disclose the company's prior knowledge. Therefore, the SEC found that First American failed to maintain disclosure controls and procedures designed to ensure that senior management had all available relevant information prior to making its disclosures, in violation of Exchange Act Rule 13a-15(a).
First American agreed to cease-and-desist from committing or causing any violations and any future violations of Exchange Act Rule 13a-15 and paid a civil monetary penalty of $487,616. As in the Pearson settlement, the SEC did not charge First American with a violation of Exchange Act Rule 10b-5 for intentional material misstatements or omissions in its Form 8-K.
Notably, First American still faces ongoing civil charges by the New York State Department of Financial Services relating to its response to the data exposure under the agency's cybersecurity regulation. Infractions of that regulation carry penalties of up to $1,000 per violation.
The SEC's settlement with First American signals that management must be aware of significant vulnerabilities in the company's computer systems. Vulnerabilities identified through audits, assessments, or security testing are not merely the concern of security and IT personnel—issuers need a clear process for evaluating vulnerabilities, identifying those that may be relevant to the company's required disclosures, and providing senior management with sufficient information to evaluate and disclose the related risks.
In particular, issuers should:
- Establish policies and procedures to ensure that significant security vulnerabilities are escalated to senior management in a timely manner so that the necessary disclosures can be made accurately in the company's SEC filings;
- Ensure proper compliance with vulnerability remediation policies and regularly test the adequacy of those controls; and
- Train information security personnel to understand potential disclosure obligations posed by data security vulnerabilities.
Probe of Disclosures Related to SolarWinds Attack
The Pearson and First American cases are not the SEC's only recent foray into the cybersecurity space. In June 2021, the SEC announced a probe related to the high-profile cyberattack involving IT software provider SolarWinds. In conjunction with the announcement of its probe, the SEC sent investigative letters requesting information from recipients about whether they were victims of the attack and what the impacts were on their business.
By way of background, the attackers disguised the initial attack within legitimate software updates issued by SolarWinds that were downloaded by thousands of companies and government agencies. Once inside their targets, the attackers used a backdoor to gain access to networks, collect authorized user information, and move through the networks undetected.
The SEC may take the position that issuers violated Rule 13a-15 and other securities requirements such as Rule 10b-5 by failing to disclose how the SolarWinds attack affected them. The SEC's announcement stated that its enforcement division would not recommend actions against companies that voluntarily provided information requested by the letter. The SEC has also been investigating SolarWinds itself following reports that investors sold $315 million in company shares days before the attack was announced publicly.
SEC's Continued Focus on Cybersecurity
The settlements with Pearson and First American and the SolarWinds probe reflect the SEC's ongoing efforts in the cybersecurity space. Issuers should anticipate further developments in this area. On June 11, 2021, the SEC announced its Spring 2021 Regulatory Flexibility Agenda which noted that the Commission intends to "propose rule amendments to enhance issuer disclosures regarding cybersecurity risk governance" by October 2021.
Whether cybersecurity vulnerabilities materialize into actual security breaches, it is clear from these developments that the SEC will be paying attention and scrutinizing issuers' statements and actions in response to cybersecurity incidents and risks. DWT will monitor and report on SEC developments in this space as they unfold.