On June 14, 2021, the U.S. Securities and Exchange Commission (SEC or Commission) settled charges against an issuer for disclosure controls and procedures violations relating to a cybersecurity vulnerability that exposed sensitive customer information. The charges, stemming from a violation of Rule 13a-15(a) of the Securities Exchange Act of 1934, resulted in a $487,616 penalty for the issuer.

According to the SEC’s order, on May 24, 2019, a cybersecurity journalist notified the issuer of a cybersecurity vulnerability that exposed over 800 million images, some of which included sensitive customer information, such as financial data and Social Security numbers. Notwithstanding the company issuing a press release the same day as receiving the cybersecurity notification and furnishing a Form 8-K on May 28, the SEC charged the company for violating disclosure controls and procedures requirements. The SEC’s order found significant facts underlying the violation, namely, that (1) the issuer’s information security personnel identified the same vulnerability months before but failed to remediate it in accordance with the issuer’s policies, and (2) the issuer’s senior executives responsible for the issuer’s disclosures were not apprised of information that was relevant to their assessment of the disclosure response. As a result, the issuer “failed to maintain disclosure controls and procedures designed to ensure that all available, relevant information concerning the vulnerability was analyzed for disclosure.”

Kristina Littman, Chief of the SEC Enforcement Division’s Cyber Unit, stated that “issuers must ensure that information important to investors is reported up the corporate ladder to those responsible for disclosures.” Rule 13a-15 requires issuers to maintain disclosure controls and procedures that are designed to ensure that information required to be disclosed is recorded, processed, summarized and reported.

These charges echo a Feb. 26, 2018 Commission Statement and Guidance on Public Company Cybersecurity Disclosures that explained an issuer must assess whether it has sufficient disclosure controls in place to ensure that relevant information about cyber incidents is processed and appropriately reported to enable senior management to make disclosure decisions. It further explained that an issuer’s “disclosure controls and procedures should not be limited to disclosure specifically required, but should also ensure timely collection and evaluation of information” that may be relevant to the assessment of risks and developments required to be disclosed.

Companies should remain cognizant of the requirements imposed by the disclosure controls and procedures rules and must continually assess the sufficiency of their disclosure controls and procedures to adapt to the changing nature of the risks they face. Policies should ensure that information about cybersecurity risks and incidences is processed and reported appropriately so that it may be disclosed. Issuers would be wise to reassess their current disclosure controls and procedures to avoid situations that could result in preventable penalties and violations. If your company experiences a cybersecurity event or receives a request from the SEC or any other government entity, we encourage you to consult with experienced legal counsel.