The Initial Salvo Was Staff-Level Guidance from the SEC’s Division of Corporation Finance
On October 13, 2011, the SEC’s Division of Corporation Finance released guidance, CF Disclosure Guidance: Topic No. 2—Cybersecurity (Oct. 13, 2011) (the 2011 guidance), outlining its views on public company disclosure obligations related to cybersecurity. This was the first time the commission or any of its divisions spoke explicitly about cybersecurity disclosure obligations. The 2011 guidance did not establish any new disclosure requirements. Instead, it reviewed the existing framework of disclosure obligations, highlighting the following disclosure areas, which might be implicated by cybersecurity incidents or risks:
- Risk Factors;
- Management’s Discussion and Analysis of Financial Condition and Results of Operations (MD&A);
- Description of Business;
- Legal Proceedings;
- Financial Statement Disclosures; and
- Disclosure Controls and Procedures
In each of these areas, the Division of Corporation Finance encouraged issuers to consider known or threatened cyber incidents as well as the probability of a cyber incident based on the cybersecurity risks specific to their companies. In particular, the guidance cautioned that disclosure in the form of a hypothetical risk (i.e., that a company could fall victim to an attack) would be insufficient where a cyberattack of the same or similar quality had in fact occurred. This would become a central theme in future guidance and enforcement actions.
The 2011 guidance also reiterated that companies could not satisfy their disclosure obligations—including disclosure obligations related to cybersecurity—with “boilerplate” disclosure that “could apply to any [company].” The guidance did, however, state that disclosures need not be so specific that the disclosure “itself would compromise a [company’s] cybersecurity.”
Following the 2011 guidance, the Division of Corporation Finance issued comment letters regarding cybersecurity disclosures to a multitude of public companies across a diverse group of industries. See Letter from Mary Jo White, Chair, Securities & Exchange Commission, to Senator John D. Rockefeller IV (D-WV) (May 1, 2013). Many of those comment letters questioned certain public companies’ disclosures of a hypothetical risk of a cybersecurity incident when it was apparent from public reports that such an incident had already occurred and asked those companies to disclose those incidents to provide the proper context. Matthew F. Ferraro, “‘Groundbreaking’ or broken? An analysis of SEC cybersecurity disclosure guidance, its effectiveness, and implications,” 77 Albany L. Rev. 297 (2014) (analyzing comment letters and responses regarding Amazon.com; AIG; Anheuser-Busch InBev; ConocoPhillips, Inc.; Eastman Chemical; Google; Hartford Financial Services Group; Quest Diagnostics; Verizon; and Wyndham Worldwide). Comment letters along these lines continue today.
The Commission Showed a Renewed Focus on Cybersecurity by Establishing a Cyber Unit and Issuing Commission-Level Guidance
Enforcement actions did not immediately follow the 2011 guidance and subsequent comment letters, as many had expected. The next volley from the commission came years later in September 2017 when it established a Cyber Unit within the Division of Enforcement. SEC Press Release 2017-176, SEC Announces Enforcement Initiatives to Combat Cyber-Based Threats and Protect Retail Investors (Sept. 25, 2017). The stated focus of the new unit did not seem to include issuer disclosures related to cybersecurity and instead was placed on other cyber-related misconduct, including market manipulation using digital infrastructure, hacking to obtain material nonpublic information, violations involving initial coin offerings, misconduct on the “dark web,” intrusions into retail brokerage accounts, and cyber threats to market infrastructure such as trading platforms. However, it became clear through subsequent enforcement actions and related announcements that the unit focuses on cybersecurity disclosures by public companies as well.
In February 2018, just months after announcing the Cyber Unit, the commission issued guidance reinforcing and expanding the Division of Corporation Finance’s 2011 guidance. 17 C.F.R. 229, 249 (Feb. 21, 2018). Like the 2011 guidance, the 2018 iteration highlighted existing disclosure obligations potentially implicated by cyber matters, including risk factors, MD&A, description of business, legal proceedings, financial statement disclosures, and board risk oversight. In making disclosure decisions, the commission recommended that companies consider the following:
- the occurrence of prior cybersecurity incidents, including their severity and frequency;
- the probability of the occurrence and potential magnitude of cybersecurity incidents;
- the adequacy of preventive actions taken to reduce cybersecurity risks and the associated costs;
- the aspects of the company’s business and operations that give rise to material cybersecurity risks and the potential costs and consequences of such risks;
- the costs associated with maintaining cybersecurity protections;
- the potential for reputational harm;
- existing or pending laws and regulations that may affect the requirements to which companies are subject relating to cybersecurity; and
- litigation, regulatory investigation, and remediation costs associated with cybersecurity incidents.
In addition to highlighting which issuer disclosures might be affected by cybersecurity incidents or risks, the 2018 guidance established expectations for companies’ disclosure controls and procedures related to cybersecurity. Specifically, the commission encouraged companies to adopt policies and procedures that ensure information regarding cybersecurity incidents and risks is reported to the appropriate personnel and all necessary information is shared so that company leaders can make effective disclosure decisions. The 2018 guidance also highlighted that details of cybersecurity risks and incidents could be material nonpublic information, recommended that public companies consider how their insider trading and related policies account for this reality, and suggested that issuers consider whether it would be appropriate to implement trading restrictions on insiders while investigations of significant cybersecurity incidents were ongoing. Finally, the 2018 guidance reminded issuers of their obligations under Regulation FD and cautioned that information regarding cybersecurity risks or incidents could be material nonpublic information, selective disclosure of which could constitute a violation of Regulation FD.
By reiterating the 2011 guidance at the commission level, and by doing so on the heels of establishing the Cyber Unit, the SEC signaled a renewed focus on public company disclosures related to cybersecurity matters and the importance of timely informing investors about cybersecurity risks and incidents. The themes in the 2018 guidance were later revealed to be a road map for the commission’s coming enforcement actions.
The SEC Brought Its First Enforcement Action in 2018 and Has Built on Those Efforts Through 2021
In the Matter of Altaba Inc., f/d/b/a Yahoo! Inc.
The commission brought its first enforcement action against a public company for deficient cybersecurity disclosures on April 24, 2018. AP File No. 3-18448 (Apr. 24, 2018). In a settled order against Altaba Inc., formerly known as Yahoo! Inc., the SEC alleged Yahoo had violated federal securities laws when it failed to disclose a 2014 data breach affecting more than 500 million user accounts. According to the commission, Yahoo learned in late 2014 that its information technology networks and systems had suffered a severe and extensive intrusion by hackers. By December 2014, Yahoo’s information security team had determined that the personal data of at least 108 million users—including usernames, email addresses, telephone numbers, dates of birth, hashed passwords, and security questions and answers—had been compromised. “Within days,” according to the SEC, Yahoo’s information security team had internally reported the breach to members of Yahoo’s senior management and legal teams. It was later determined that the breach affected more than 500 million Yahoo user accounts.
In its settled order, the SEC alleged that Yahoo had failed to disclose the breach in its annual reports for fiscal years 2014 and 2016 and various quarterly reports in fiscal years 2015 and 2016. Instead, Yahoo had disclosed only the potential risks associated with cybersecurity matters, despite knowing that Yahoo had already suffered a breach and that some of those risks had already come to fruition. One such hypothetical disclosure read, “If our security measures are breached, our products and services may be perceived as not being secure, users and customers may curtail or stop using our products and services, and we may incur significant legal and financial exposure.” Order Instituting Cease-and-Desist Proceedings at 4, Matter of Altaba Inc. (emphasis added).
The SEC also alleged that Yahoo had made affirmative misrepresentations regarding cybersecurity in a 2016 stock purchase agreement with Verizon, claiming that it was aware of only four minor data breaches that it had suffered and failing to disclose the 2014 breach. These false representations were made publicly available in a Form 8-K, which Yahoo filed with the commission on July 25, 2016, while Verizon’s purchase of Yahoo was pending. Finally, the SEC asserted that Yahoo management had failed to establish or implement the necessary internal controls to “assess the scope, business impact, or legal implications of the 2014 breach, including how and where the breach should have been disclosed.” When Yahoo finally disclosed the breach in September 2016, its stock price fell by 3 percent, and Verizon negotiated a 7.25 percent reduction in the price it would pay to purchase Yahoo’s stock.
Based on these alleged failures, the SEC charged Yahoo with violating sections 17(a)(2) and 17(a)(3) of the Securities Act, which prohibit public companies from negligently making untrue statements or omissions in the sale of securities and from engaging in practices that operate as a fraud upon investors. The SEC also charged Yahoo with violating section 13(a) of the Exchange Act and corresponding commission rules, which require every issuer to file periodic reports, maintain disclosure controls, and ensure that such reports are not misleading. Without admitting or denying the allegations, Yahoo agreed to a cease-and-desist order and a $35 million civil penalty and agreed to cooperate with any additional commission investigations or litigation that may result from Yahoo’s alleged violations.
At the time, many viewed the Yahoo action as low-hanging fruit for the Enforcement Division. Following the settlement, Steven Peikin, then co-director of the Enforcement Division, noted, “We do not second-guess good faith exercises of judgment about cyber-incident disclosure. But we have also cautioned that a company’s response to such an event could be so lacking that an enforcement action would be warranted. This is clearly such a case.” SEC Press Release 2018-71, Altaba, Formerly Known as Yahoo!, Charged With Failing to Disclose Massive Cybersecurity Breach; Agrees To Pay $35 Million (Apr. 24, 2018).
In the Matter of Facebook, Inc.
Another development in cybersecurity enforcement came in the summer of 2019 when the commission announced settled charges against Facebook, Inc., for misleading disclosures regarding third-party use of Facebook users’ data. Complaint, SEC v. Facebook, Inc., No. 3:19-cv-04241 (N.D. Cal. July 24, 2019). Although the order was not a result of any cyber intrusion, the SEC’s allegations drove home the commission’s distaste for companies disclosing merely a hypothetical risk to their business when indeed the risk had already come to fruition, a particularly important lesson in the context of cybersecurity disclosures.
In its complaint, the SEC alleged that Facebook had disclosed the potential for misuse of users’ personal data by third-party developers as a material risk in its periodic filings since its 2012 initial public offering. Three years later, Facebook discovered that Cambridge Analytica had used an academic researcher to collect user data, including names, genders, locations, birthdays, and “page likes,” from some 30 million Americans for use in connection with Cambridge Analytica’s political advertising, conduct that constituted a violation of Facebook’s data use policies.
Despite learning of this policy violation in December 2015, Facebook allegedly did not make any revisions to its material risk disclosures (or otherwise publicly acknowledge the issue) until March of 2018. Instead, Facebook continued to use its standing hypothetical risk disclosure: “Improper access to or disclosure of user information, or violation of our terms of service or policies, could harm our reputation and adversely affect our business.” (Emphasis added.) According to the commission’s complaint, by failing to update this risk disclosure, “Facebook misleadingly presented the potential for misuse of user data as merely a hypothetical investment risk,” when in fact it knew such misuse had already come to pass. When the collection of user data became public, Facebook allegedly reinforced its misleading statements from public filings through press statements suggesting the company had not uncovered any wrongdoing. The commission also alleged that more than 30 Facebook employees in the company’s legal, operations, policy, and privacy groups learned of the misuse of user data, but Facebook had no specific policies or procedures in place for analyzing the information for the purpose of ensuring that the appropriate disclosures were made to investors. When Facebook ultimately acknowledged the misuse of user data, its stock price fell by 5 percent the next trading day.
Mirroring the Yahoo order, the Facebook complaint alleged violations of sections 17(a)(2) and 17(a)(3) of the Securities Act and section 13(a) of the Exchange Act, as well as associated disclosure controls requirements. Without admitting or denying the allegations, Facebook agreed to pay a $100 million civil penalty and submitted to a permanent injunction against further violations. In a press release announcing the settled action, then Enforcement Division co-director Stephanie Avakian drove home the crux of the issue: “As alleged in our complaint, Facebook presented the risk of misuse of user data as a hypothetical when they knew user data had in fact been misused. Public companies must have procedures in place to make accurate disclosures about material business risks.” SEC Press Release 2019-140, Facebook to Pay $100 Million for Misleading Investors About the Risks It Faced From Misuse of User Data (July 24, 2019). This viewpoint has become a recurring theme, especially in the commission’s enforcement actions related to public company cybersecurity disclosures.
In the Matter of First American Financial Corp.
The Enforcement Division brought two cybersecurity enforcement actions in quick succession in 2021. In June 2021, the commission announced settled charges against First American Financial Corp., a real estate settlement services company, for disclosure controls and procedures violations related to a cybersecurity incident. AP File No. 3-20367 (June 15, 2021).
On May 24, 2019, First American was notified by a cybersecurity journalist that a document-sharing application used by the company suffered from a vulnerability potentially exposing more than 800 million title and escrow document images, some containing personal information such as Social Security numbers. First American issued a statement to be included in the journalist’s report of the vulnerability published that evening. The next trading day, May 28, 2019, First American filed a Form 8-K with the SEC, attaching an additional press release discussing the vulnerability. In both statements, the company told investors it had learned of the reported vulnerability and had taken immediate action to address it.
The SEC’s charges focused on First American’s alleged disclosure process failures in connection with its May 24 and May 28 statements. According to the SEC, First American information security personnel had discovered the cybersecurity vulnerability months earlier but had failed to remediate it in accordance with company policy. These details were reported to the company’s chief information security officer and chief information officer on May 24 and May 25, respectively, after First American was contacted by the journalist. However, these details were allegedly not reported to the First American executives responsible for issuing the company’s May 24 statement and May 28 Form 8-K. As a result, according to the SEC, First American executives charged with issuing company disclosures were unable to evaluate whether they should disclose the company’s earlier discovery of the vulnerability or the company’s response to that discovery.
The SEC’s order charged First American with violating Securities Exchange Act Rule 13a-15(a), which requires issuers to maintain disclosure controls and procedures designed to ensure that required disclosures are made properly and in a timely fashion and to ensure that information required to be disclosed is communicated to management to allow timely decisions regarding required disclosure. The order stated, “First American did not have any disclosure controls and procedures related to cybersecurity, including incidents involving potential breaches of that data.” Notably, the SEC did not charge First American with making materially false or misleading statements to investors, instead focusing on alleged failures in First American’s disclosure controls and procedures. First American neither admitted nor denied the allegations and agreed to a cease-and-desist order and to pay a civil penalty of $487,616.
In a press release announcing the action, Kristina Littman, chief of the Enforcement Division’s Cyber Unit, stated, “As a result of First American’s deficient disclosure controls, senior management was completely unaware of [the cybersecurity] vulnerability and the company’s failure to remediate it.” She emphasized that “[i]ssuers must ensure that information important to investors is reported up the corporate ladder to those responsible for disclosures.” SEC Press Release 2021-102, SEC Charges Issuer With Cybersecurity Disclosure Controls Failures (June 15, 2021).
In the Matter of Pearson plc.
Most recently, in August 2021, the commission ordered London-based Pearson plc to pay $1 million in civil penalties for disclosure control failures and misleading disclosures related to a 2018 cyber intrusion. File No. 3-20462 (Aug. 16, 2021). Pearson is a multinational educational publishing and services company that provides services to schools and universities worldwide. According to the commission’s order, Pearson experienced a cyber intrusion in 2018 that involved the theft of millions of student records, including dates of birth and email addresses, and the administrator log-in credentials of 13,000 school, district, and university customer accounts.
Pearson did not initially disclose the incident to the market, and in its semiannual report filed in July of 2019, Pearson allegedly described a data privacy incident as merely a hypothetical material risk. Specifically, Pearson stated that a “[r]isk of a data privacy incident or other failure to comply with data privacy regulations and standards and/or a weakness in information security, including a failure to prevent or detect a malicious attack on our system, could result in a major data privacy or confidentiality breach causing damage to the customer experience and our reputation, damages, a breach of regulations and financial loss.” (Emphasis added.) When a national media outlet asked Pearson about the 2018 breach, the company acknowledged the breach but allegedly made a multitude of misstatements regarding the incident. For example, Pearson stated only that the breach may have included dates of birth and email addresses, when in fact the company knew that such information had been stolen. Pearson’s media statement also allegedly described its cybersecurity as being bolstered by “strict protections” when, in reality, the critical vulnerability leading to the 2018 intrusion had not been patched for more than six months after Pearson had been notified of the vulnerability. The press statement also allegedly omitted that millions of rows of student data had been involved in the 2018 breach. The next trading day after Pearson publicly acknowledged the breach, its stock price fell by 3.3 percent.
The commission’s charges against Pearson demonstrate many of the potential charges a public company can face for failure to comply with cybersecurity disclosure obligations. Like Yahoo and Facebook, Pearson was found to have violated sections 17(a)(2) and 17(a)(3) of the Securities Act and section 13(a) of the Exchange Act, as well as related disclosure controls rules. However, Pearson avoided more serious charges of intentional fraud under section 17(a)(1) of the Securities Act or section 10(b) of the Exchange Act and Rule 10b-5 promulgated thereunder, which could be charged against companies for misstatements in cyber disclosures. The SEC alleged that Pearson initially failed to disclose the 2018 breach, continued to highlight merely the risk of a cybersecurity incident when in fact such an incident had occurred, and made misleading statements and omissions once it finally did disclose the incident. According to Cyber Unit Chief Kristina Littman, “As public companies face the growing threat of cyber intrusions, they must provide accurate information about material cyber incidents.” SEC Press Release 2021-154, SEC Charges Pearson plc for Misleading Investors About Cyber Breach (Aug. 16, 2021).
The Commission’s Focus on Cybersecurity Will Continue and Likely Expand Beyond a Focus on Public Companies’ Disclosures
The SEC’s interest in public companies’ cybersecurity disclosures shows no sign of slowing. Current Enforcement Division Director Gurbir Grewal recently described cybersecurity as “a critical issue in our securities markets and our economy as a whole.” See, e.g., Gurbir Grewal, Director, Division of Enforcement, Securities & Exchange Commission, Remarks at SEC Speaks 2021 (Oct. 13, 2021). And the Division of Corporation Finance has continued to issue comment letters to public companies regarding their cyber-related disclosures. Such comment letters press companies for details regarding board involvement in cybersecurity oversight and seek additional, specific information regarding actual breaches public companies have suffered. SEC-generated letter to Luckin Coffee (SEC Comments, Mar. 21, 2019) (requesting that a public company disclose “the nature of the board’s role in overseeing your cybersecurity risk management, the manner in which the board administers this oversight function and any effect this has on the board’s leadership structure”); CorVel Corp. response to SEC Comments Letter (SEC Comments, Feb. 20, 2020) (instructing a company that had recently discussed a breach on an earnings call to specify (1) the systems breached; (2) how they were breached; (3) the actions the company took to cure the breach; (4) the impact on revenue related to the breach by quarter; (5) the costs incurred to cure the breach by quarter; and (6) the actions and costs incurred to prevent similar breaches in the future).
Moreover, the commission’s cyber enforcement efforts have fairly covered the waterfront when it comes to issuer disclosure failures. The commission has taken companies to task for not disclosing a material cybersecurity incident, disclosing merely a risk of a cybersecurity event when such an event had actually occurred, making misleading statements or omitting material information regarding an incident, and failing to have sufficient disclosure controls and procedures in place to ensure cyber-related disclosures are adequate and timely.
Where else might we see enforcement related to public companies? Thus far, cybersecurity enforcement actions have not alleged failures in a public company’s internal accounting controls, but that may soon change. On October 16, 2018, the Division of Enforcement, in consultation with the Division of Corporation Finance and the Office of the Chief Accountant, published a Rule 21(a) report of investigation discussing whether public companies that had fallen victim to certain cyberattacks had violated the federal securities laws by failing to maintain sufficient internal accounting controls. SEC Release No. 84429 (Oct. 16, 2008). The 21(a) report analyzed “business email compromises,” or instances in which public company personnel had unknowingly wired company funds to bad actors in response to spoofed or compromised emails purporting to be from company executives or company vendors. The instances investigated by the Enforcement Division victimized nine issuers across a variety of industries, each of which resulted in losses of at least $1 million and which, in total, resulted in combined losses of over $100 million.
The commission opted not to bring an enforcement action against the companies it investigated. However, the 21(a) report cautioned that public issuers “must calibrate their internal accounting controls to the current risk environment and assess and adjust policies and procedures accordingly.” The report cited for this purpose sections 13(b)(2)(B)(i) and 13(b)(2)(B)(iii) of the Exchange Act, which require certain issuers to “devise and maintain a system of internal accounting controls sufficient to provide reasonable assurances that (i) transactions are executed in accordance with management’s general or specific authorization” and that “(iii) access to assets is permitted only in accordance with management’s general or specific authorization.” Specifically, issuers subject to these sections must “evaluate to what extent they should consider cyber-related threats when devising and maintaining their internal accounting control systems.”
To date, there have been no enforcement actions regarding internal controls failures related to wire transfer fraud or cyber fraud. But as bad actors continue to victimize public companies with these schemes (especially because they require far less technical acumen than a network intrusion), we may see future enforcement activity in this area.
There Are Clear Messages from the SEC’s Cybersecurity Enforcement Actions to Date
There are several lessons to be learned from the SEC’s cybersecurity enforcement efforts against public companies thus far. First, companies should refrain from disclosing merely a hypothetical risk of a cyber incident when they have actually suffered an incident. Such disclosures have been a particular focus of the SEC since its first public discussion of cybersecurity disclosures. Companies should review their existing risk factor disclosures and consider whether changes should be made.
Companies should also make sure their disclosure procedures account for cybersecurity. Cybersecurity leadership should have a seat at the disclosure table, and everyone in the cybersecurity chain of command should understand—through training or otherwise—the importance of escalating identified risks or events that could become material so they can be evaluated for potential disclosure. Once matters are escalated, companies need a robust procedure for evaluating the materiality of the risk or event and determining whether it should be disclosed. Materiality can be quantitative or qualitative. With respect to cybersecurity incidents, for example, companies need to consider not only the costs of investigation, remediation, and disclosure, but also the potential impact on the company’s business or reputation, among other qualitative factors.
Once a company determines that disclosure of a risk or incident is appropriate, it must avoid misleading statements or omissions. Although SEC guidance states companies are not required to disclose extensive details regarding the method of a cyber intrusion, they should ensure all material details are disclosed to investors. Those details may include the size of the breach, the nature of the information involved, the company’s cybersecurity posture prior to the breach, and the company’s response to the breach, among other things.
Finally, companies should consider whether their internal accounting controls effectively guard against business email compromises or other similar attacks. Once the commission has provided guidance suggesting certain conduct could violate securities laws, enforcement actions often follow. Companies should consider tweaks to wire transfer or disbursement policies, employee training, additional verifications of money transfers, or other steps as appropriate to thwart such attacks and the associated losses.
In Part II of this series, we will review the SEC’s focus on cybersecurity controls at regulated entities such as registered investment advisors and broker-dealers.