Four recent US SEC cybersecurity disclosure enforcement actions underscore the critical need for US-listed companies, including foreign private issuers, to focus on their cybersecurity disclosures and to take their reporting obligations seriously.
The US Securities and Exchange Commission recently settled four enforcement actions against US-listed companies for allegedly misleading statements about cybersecurity incidents.
Each case involved a company that used the SolarWinds Orion software, which had been infected in 2020 with malicious code by a reportedly nation-state-supported threat actor. In the enforcement actions, the SEC alleged that the companies had minimized the impact of the cybersecurity incidents in their public disclosures, including in some cases only identifying the hypothetical risks of a cyber incident in their disclosures.
Two SEC Commissioners issued a dissenting statement criticizing these enforcement actions as engaging in a “hindsight review to second-guess the disclosure” and an attempt to regulate by enforcement.
Key takeaways
When drafting (and defending) disclosure in connection with cybersecurity incidents, the following considerations should be taken into account, balanced with the concerns raised by the dissenting commissioners:
- Designing and implementing disclosure controls and procedures to ensure escalation of potentially material cybersecurity incidents.
- Updating hypothetical risks to reflect cybersecurity incidents if they have occurred.
- Details about the scope and impact of an incident.
- Cooperation with the SEC.
Conducting cybersecurity materiality assessments and drafting cybersecurity incident disclosure is a balancing act that can be difficult to get right. This is particularly true as the SEC seeks to navigate and enforce its new cybersecurity disclosure rules.
For more on these cases and guidance on how to navigate these evolving requirements see - Key Takeaways from Four SEC Cybersecurity Disclosure Enforcement Actions