SEC Charges Public Companies with Misleading Cyber Disclosures

On October 22, 2024, the Securities and Exchange Commission (SEC) announced that it had charged four companies with making materially misleading disclosures regarding cybersecurity risks and intrusions, with one company also charged with disclosure controls and procedures violations. None of the orders specifically cite the new cybersecurity disclosure rules which went into effect in 2023 (a summary of which can be found here) because the conduct in question occurred prior to the effective date of the new rules.

The SEC alleged that the public disclosures by each of these companies downplayed the severity of SolarWinds cyberattack-related intrusions in one or more of the following respects: (i) describing risks as hypothetical (even after these risks had materialized in the SolarWinds incident), (ii) disclosing generic descriptions of cyber risks without disclosing the incident the company experienced, (iii) failing to disclose the nature and extent of data that was accessed in the incident (including the nature of the threat actor and details relating to the data accessed), and (iv) minimizing the impact. The companies paid civil penalties ranging from $990,000 to $4,000,000 to settle the charges.

What this means to you

These cases continue a trend towards aggressive SEC enforcement of public companies’ disclosure obligations—particularly as they relate to cybersecurity incidents. The actions highlight the importance of ensuring that disclosures—including cybersecurity incident disclosures under new Item 1.05 of Form 8-K—are accurate and fully reflect all (even arguably) material details. Importantly, none of the companies charged by the SEC failed to make disclosures to the public—rather, the SEC determined that the substance of the disclosures made were not sufficient.

It also should be noted, however, that SEC commissioners Hester M. Peirce and Mark T. Uyeda dissented from these actions, arguing the SEC had engaged in a “hindsight” review to second-guess these companies’ materiality determinations while citing immaterial, undisclosed details to support its charges. Their dissent pointed to the SEC’s observation in adopting its 2023 Cybersecurity Rule that “immaterial disclosure about cybersecurity incidents may ‘divert investor attention’ and result in ‘mispricing of securities’” and expressed concern that these actions amount to supplemental “regulation by enforcement” which could inadvertently encourage disclosure of excessive immaterial details, undermining the rationale behind the 2023 rule and the addition of Item 1.05 to Form 8-K.

In light of this dissent, and in connection with the expected new incoming SEC administration, we will continue to monitor the SEC’s evolving approach to enforcement of its cybersecurity incident disclosure requirements.

Notwithstanding the misgivings expressed by the two dissenting commissioners, however, public companies should bear in mind the following considerations:

  • Companies should review and update their risk factor disclosures related to cybersecurity incidents, making sure not to disclose a risk as hypothetical after the risk in question has already occurred or to use generic terms when describing specific, known risks.
  • Companies should review and update their existing cybersecurity-related disclosures—including both substantive disclosures and risk factors—after the company has experienced a material cybersecurity incident.
  • Companies should review existing disclosure controls and procedures to assess whether current controls are sufficient to make timely determinations of materiality and to report cybersecurity-related information accurately and comprehensively.
  • Companies should accurately (and fully) describe any material cybersecurity incidents the company experiences in their Form 8-K Item 1.05 disclosures, as well as their ongoing periodic reports.

[View source.]

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations. Attorney Advertising.

© Husch Blackwell LLP

Written by:

Husch Blackwell LLP
Contact
more
less

PUBLISH YOUR CONTENT ON JD SUPRA NOW

  • Increased visibility
  • Actionable analytics
  • Ongoing guidance

Husch Blackwell LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide