Four Companies Settle SEC Charges for Cybersecurity Disclosure Failures

Four companies separately settled SEC charges for disclosure failures that minimized or omitted facts in connection with a significant cybersecurity incident.  

According to the first Order, the company discovered that two of its servers had software that was infected with malicious code, which allowed unauthorized activity on the affected servers and networks and compromised the company's cloud e-mail and sharing environment. The SEC said that the malicious code enabled access to 145 shared files, some of which contained sensitive company information, and compromised a mailbox for one of its cybersecurity incident response personnel. The SEC found a company's statement that it was investigating suspicious activity that it "believed resulted in unauthorized access to our email system" misleading.

According to the second Order, the company continued to file reports in 2021 and 2022 with generic cybersecurity risk disclosures, despite discovering the installation of malicious software and the compromise of corporate accounts and being alerted to the incident by a third-party vendor. The SEC found that the company's disclosures were "virtually unchanged from the same disclosures in prior [] public filings" and that the company "failed to tailor them to [its] particular risks and incidents."

According to the third Order, the company identified that a bad actor exfiltrated critical data, including internal email, certain source code, a database containing encrypted credentials for approximately 31,000 customers and server and configuration information for approximately 17,000 customers. The SEC found that the company failed to (i) disclose the number of customers whose credentials or server and configuration information were accessed by the bad actor, (ii) describe the nature of the compromised code, or (iii) quantify the amount of source code exfiltrated. 

According to the fourth Order, the company discovered that a threat actor compromised at least seven network credentials and 34 cloud accounts, transferring over 33 gigabytes of data and accessing email and files of senior IT personnel. The SEC said a separate ransomware group infiltrated the company's network, stealing critical software code for its products. The SEC found that the company's incident response policies did not require timely reporting of these breaches to senior management, which led to significant delays in disclosure. The SEC said that after these incidents, the company updated its policies, disclosed the material weakness in its reporting controls and took additional steps to improve cybersecurity and reporting procedures.

The SEC found that the companies violated Securities Act Sections 17(a)(2) and 17(a)(3) ("Fraudulent Interstate Transactions") and SEA Section 13(a) ("Periodical and other reports)" and Rules 12b-20 ("Additional information"), 13a-1 ("Requirements of annual reports") and 13a-15(a) ("Controls and procedures") thereunder.  The companies agreed to (i) cease and desist from further violations and (ii) pay the following respective civil money penalties: $1 million; $995,000; $990,000; and $4 million. 

In a dissenting statement, Commissioners Hester M. Peirce and Mark T. Uyeda criticized the SEC's enforcement actions, arguing that the nearly $7 million in penalties unfairly targets the victims of the cyberattack and fails to address the real perpetrators. The Commissioners claimed that the SEC was "playing Monday morning quarterback" by second-guessing the companies' disclosures and focusing on immaterial details. 

Ms. Peirce and Mr. Uyeda said that these cases can be grouped into two categories: (i) those who disclosed information about the attack, but allegedly omitted key details, and (ii) those who did not update existing cybersecurity risk factors. 

• For the first group, the dissenting Commissioners challenged the majority's view that identifying the nation-state behind the attack was "material" to investors. They noted that during the SEC's adoption of the 2023 Cybersecurity Rule, no feedback suggested that the identity of the attacker was crucial: "Not a single one of the 150-plus comment letters...requested disclosure of the identity of the threat actor." The Commissioners argued that the omitted information wouldn't have changed the overall picture provided to investors.
• For the second group, the dissenting Commissioners disputed the majority's focus on technical details, such as the percentage of compromised customer data and source code accessed by the attackers. The dissenters asserted that the companies' disclosures provided the essential information and that requiring such specific details could overwhelm investors with unnecessary minutiae. They cautioned that this could lead to over-disclosure of immaterial information, ultimately diverting investor attention.

Ms. Peirce and Mr. Uyeda also warned that the SEC's actions could lead companies to fill their disclosures with immaterial details out of fear of being penalized, which would run counter to the intent of the 2023 Cybersecurity Rule, designed to focus on the real impact of incidents.