Cyberattacks- when must publicly traded companies report them to the Securities and Exchange Commission and other agencies?

The SEC and other agencies are concerned about the significant increase in Cyberattacks on financial companies, banks, critical infrastructure companies and others as these attacks from nationstates threaten the security of the United States. In August of last year, the SEC filed a settlement enforcement action against Pearson plc, a London-based public company that provides educational publishing and other services to schools and universities, agreed to pay $1 million to settle charges that it misled investors about a 2018 cyber intrusion involving the theft of millions of student records, including dates of births and email addresses, and had inadequate disclosure controls and procedures.

The SEC’s order stated that Pearson made misleading statements and omissions about the 2018 data breach involving the theft of student data and administrator log-in credentials of 13,000 school, district and university customer accounts. In its semi-annual report, filed in July 2019, Pearson referred to a data privacy incident as a hypothetical risk, when, in fact, the 2018 cyber intrusion had already occurred. And in a July 2019 media statement, Pearson stated that the breach may include dates of births and email addresses, when, in fact, it knew that such records were stolen, and that Pearson had “strict protections” in place, when, in fact, it failed to patch the critical vulnerability for six months after it was notified. The media statement also omitted that millions of rows of student data and usernames and hashed passwords were stolen. The order also finds that Pearson’s disclosure controls and procedures were not designed to ensure that those responsible for making disclosure determinations were informed of certain information about the circumstances surrounding the breach.

“As the order finds, Pearson opted not to disclose this breach to investors until it was contacted by the media, and even then Pearson understated the nature and scope of the incident, and overstated the company’s data protections,” said Kristina Littman, Chief of the SEC Enforcement Division’s Cyber Unit. “As public companies face the growing threat of cyber intrusions, they must provide accurate information to investors about material cyber incidents.”

The SEC’s order found that Pearson violated Sections 17(a)(2) and 17(a)(3) of the Securities Act of 1933 and Section 13(a) of the Exchange Act of 1934 and Rules 12b-20, 13a-15(a), and 13a-16 thereunder. Without admitting or denying the SEC’s findings, Pearson agreed to cease and desist from committing violations of these provisions and to pay a $1 million civil penalty.

In addition, the SEC settled an enforcement acvtion against First American Financial Corporation for its real estate settlement services company First American Financial Corporation for disclosure controls and procedures violations related to a cybersecurity vulnerability that exposed sensitive customer information.

According to the SEC’s order, a cybersecurity journalist notified First American of a vulnerability with its application for sharing document images that exposed over 800 million images dating back to 2003, including images containing sensitive personal data such as social security numbers and financial information.  In response, according to the order, First American issued a press statement on the evening of May 24, 2019, and furnished a Form 8-K to the Commission on May 28, 2019.  However, according to the order, First American’s senior executives responsible for these public statements were not apprised of certain information that was relevant to their assessment of the company’s disclosure response to the vulnerability and the magnitude of the resulting risk.  In particular, the order finds that First American’s senior executives were not informed that the company’s information security personnel had identified the vulnerability several months earlier, but had failed to remediate it in accordance with the company’s policies.  The order finds that First American failed to maintain disclosure controls and procedures designed to ensure that all available, relevant information concerning the vulnerability was analyzed for disclosure in the company’s public reports filed with the Commission. 

“As a result of First American’s deficient disclosure controls, senior management was completely unaware of this vulnerability and the company’s failure to remediate it,” said Kristina Littman, Chief of the SEC Enforcement Division’s Cyber Unit.  “Issuers must ensure that information important to investors is reported up the corporate ladder to those responsible for disclosures.”

The SEC’s order charges First American with violating Rule 13a-15(a) of the Exchange Act.  Without admitting or denying the SEC’s findings, First American agreed to a cease-and-desist order and to pay a $487,616 penalty.

New SEC’s proposed reporting requirements state that public companies must report material cybersecurity incidents within four business days after determining that an event has occurred. Companies must also provide periodic updates of previously reported cybersecurity incidents and share their cybersecurity risk management policies and procedures. Companies will now be required to disclose some of the following bullets on their 10-K, related to their risk-management policies:

  • Outline and description of their cybersecurity risk program
  • How they engage with third-party assessors or consultants
  • Measures for cyber incident prevention, detection, and mitigation
  • Business continuity and recovery procedures in the event of a breach
  • How cybersecurity risk might impact the company’s financials
  • Business strategy and planning related to cybersecurity risk

Companies need to also disclose all cybersecurity governance practices as well as cybersecurity expertise that exists on the board of directors if the proposed rules are approved. While these rules are still not in effect, publicly traded companies must still report all material cyberattacks to the SEC in their 10K forms.

Jeffrey Newman is a whistleblower lawyer with the firm Newman & Shapiro and he can be reached at Jnewman@NewmanShapiro.com or at 978-880-4758.