Twelve Hours to Get It Right: The SEC Intensifies Its Focus on Cybersecurity

In the hours following the tip, First American provided the journalist with a statement acknowledging the leak and stating that external access to Eagle Pro had been shut down. On the morning of May 28, the first day of trading following the tip, First American released an 8-K and press release announcing the defect and the remedial measures it had taken. However, despite these apparent proactive steps, the SEC brought an enforcement action against First American for violating Exchange Act Rule 13a-15(a), which requires issuers to maintain proper disclosure controls and procedures. As part of a settlement of the SEC’s charges, First American agreed to the entry of a cease-and-desist order and to a $487,616 civil penalty.

You Don’t Know What You Don’t Know
The problem was that First American’s IT department had discovered the potential leak several months before the tip. Indeed, the company’s IT department had published a report in January 2019—four months before the journalist’s article was published—that identified a “serious” vulnerability in the Eagle Pro application. Due to a clerical error, the company mistakenly classified the vulnerability as low risk, which, according to First American’s policies, afforded the company 90 days to remediate the issue. Yet more damaging was the fact that even after the breach was announced publicly, First American’s senior leadership was not informed that the company had identified the weakness several months prior. Indeed, despite numerous meetings between the company’s technical experts and its senior executives in the four days between the tip and the release of the 8-K, First American’s leadership remained unaware that the leak had not been remediated in a timely manner. “These senior executives thus lacked certain information to fully evaluate the company’s cybersecurity responsiveness and the magnitude of the risk from the Eagle Pro vulnerability at the time they approved the company’s disclosures,” the SEC concluded in its order. In other words, even though First American disclosed the vulnerability, the flaws in the company’s disclosure controls and procedures resulted in a failure to adequately inform investors of the full extent of the problem.

Increasing Enforcement Scrutiny Around Disclosure Controls and Procedures
The First American case illustrates a problem that is receiving increasing attention from the SEC—namely, cyber vulnerabilities and inconsistencies in reporting among public companies and regulated entities. Two months after the First American settlement, in August 2021, the SEC brought a settled enforcement action against Pearson PLC, a London-based educational publishing company, for misreporting a 2018 cyber intrusion that involved the theft of millions of records, many of which contained sensitive personal information. Just weeks after the Pearson matter, the SEC brought settled enforcement actions against eight broker-dealers and investment advisers for failures in their cybersecurity policies that resulted in the exposure of thousands of customers’ and clients’ sensitive personal information. Finally, in May 2021 the SEC settled with GWFS Equities Inc., a Colorado-based broker-dealer, for improperly reporting repeated attempts to access the retirement accounts of its clients. After “significant cooperation” and subsequent remedial efforts, GWFS settled for a $1.5 million civil penalty and a censure.

Starting in summer 2021, the SEC’s Enforcement Division has been aggressively investigating the response of public companies to the highly publicized cyberattack that targeted the SolarWinds software. In connection with that “sweep,” the SEC appears to be probing potential disclosure failures, violations of the internal accounting controls provisions and the adequacy of issuers’ disclosure controls and procedures. Notably, for companies that received an information request from the SEC, the staff is assessing potential securities law violations linked not only to the cyberattack on the SolarWinds software, but also with respect to any other cyber intrusion.

Increasing Regulatory Activity: Two Recent Cyber-Related Rulemakings
This enforcement activity has been followed by increased regulatory activity in 2022. On January 24, SEC Chair Gary Gensler gave a speech on “Cybersecurity and the Securities Laws.” The Chair’s speech was styled as a call to action, emphasizing that cyber incidents are not only costly but also threaten national security. Chair Gensler stated that he was asking his staff to study the current cybersecurity regulations and report to him with suggestions on how the SEC can “broaden and deepen” the rules to fit the current risk landscape.

And act, they did.

On February 9, the SEC proposed new cyber-related rules for registered advisers and funds. These proposed rules would require funds to implement written security policies and procedures, report significant cyber incidents on a new confidential form and adhere to new record-keeping requirements designed to facilitate the Commission’s inspection and enforcement capabilities.

One month later, on March 9, the SEC proposed new rules that would impose cybersecurity obligations on public companies. These new rules would require registrants to, among other things, report material cyber incidents within four days via a Form 8-K and provide updates on such incidents via disclosures in Forms 10-K and 10-Q. Perhaps most notably, the proposed rules would amend Regulation S-K to require companies to describe their policies and procedures for identifying and managing risks from cyber threats, including those from third-party service providers. The rules would also require companies to disclose their board of directors’ oversight of cyber risks and management’s expertise in implementing and managing cybersecurity policies. Companies would be required to disclose “any detail necessary to fully describe” the nature of directors’ expertise and whether they have a designated chief information officer (and, if so, that individual’s place in the organizational chart).

These changes are significant and controversial. Dissenting Commissioner Hester M. Peirce stated that the new disclosure requirements would “embody an unprecedented micromanagement” by the SEC of the boards of directors and management of public companies. “The proposal,” Peirce wrote, “although couched in standard disclosure language, guides companies in substantive, if somewhat subtle, ways.” This, she argued, is because the SEC’s requirements “will have the undeniable effect of incentivizing companies to take specific actions to avoid appearing as if they do not take cybersecurity as seriously as other companies.”

However, whether unprecedented or not, the proposed rules fall directly on the broad menu of cyber-focused priorities that Chair Gensler outlined in his January speech. Then, the Chair explicitly stated that he would direct the staff to consider ways to strengthen firms’ cybersecurity hygiene and ensure that they can maintain operational capability during cyber incidents. This substantive direction appears to reflect the Chair’s view that “cybersecurity is central to national security” and, quoting President Biden’s 2021 remarks on cybersecurity, that “the federal government can’t meet this challenge alone.”

Preparing for the SEC’s New Cyber Agenda
Companies, advisers and other regulated entities should prepare for these potential changes in the regulatory and enforcement landscape.

First, regulated entities should assess the adequacy of their existing cybersecurity protections and update them considering the SEC’s new proposals. Such an assessment should include: (1) the nature, sensitivity and location of information that the entity collects, processes and/or stores; (2) internal and external cybersecurity threats to and vulnerabilities of the entity’s information and technology systems; (3) security controls and processes currently in place; (4) the likely impact if the information or technology systems become compromised; (5) the effectiveness of the governance structures for the management of cyber risks; (6) the procedures in place for detecting, responding to and escalating awareness of cyber incidents; and (7) the policies and procedures in place for providing training and guidance to the firm’s directors, officers and other personnel to ensure that best practices are maintained.

Public companies also should carefully examine their disclosure controls and procedures. This means examining not just the substantive security protections the firm has in place, but how a security breach will be reported internally when one inevitably occurs. The SEC’s new proposals and recent enforcement actions demonstrate that the Commission expects registrants to disclose cyber incidents in a timely manner. Firms will want to ensure that mechanisms are in place whereby cyber incidents are promptly escalated so that the company’s senior executives can evaluate whether disclosure is appropriate. As a best practice, firms should be prepared for reporting of any incidents to conform with the SEC’s new proposals, which would require disclosure of:

• When the incident was discovered and whether it is ongoing
• A brief description of the nature and scope of the incident
• Whether any data was stolen, altered, accessed or used for any other unauthorized purpose
• The effect of the incident on the registrant’s operations
• Whether the registrant has remediated or is currently remediating the incident

Additionally, companies will want to ensure that their directors have an adequate understanding of cyber risks and that they have a designated chief information officer within their governance structure.

Finally, firms should take a careful look at the cybersecurity controls and procedures of the third parties with whom they work. Many of the risks that firms face may arise from third parties (e.g., placement agents, vendors), and, as Chair Gensler’s remarks indicate, the SEC may begin to hold firms accountable for security failures caused by or through these partners. It is prudent for firms to conduct due diligence on the protections their third-party vendors use, for example, by reviewing the third parties’ cybersecurity policies, obtaining an express written commitment from the third party stating that they will maintain the firm's information securely, implementing indemnification provisions in the event of a cyberattack or requiring that the third party utilize specific safeguards.

The SEC’s longstanding guidance on whether to pursue an enforcement action against an entity includes consideration of whether the registrant engages in self-policing for potential violations. Even if review of a firm’s existing cybersecurity policies does not uncover any deficiencies, the manner of the firm’s response to the Commission’s public statements (in the form of guidance, enforcement actions and proposed rules) will provide it with a strong argument for its pro-compliance culture that can be used in the event of any future inquiry from the Division of Enforcement. Given the undeniable SEC focus on cyber-preparedness, firms will be well served to take this opportunity to kick the tires of their existing controls and procedures, both so that they are prepared for potential changes to the SEC’s requirements and so they can act appropriately in the event of a cyber incident.