SEC Charges Companies Over Cybersecurity Disclosure Failures
On October 22, 2024, the U.S. Securities and Exchange Commission (SEC) took a significant step in enforcing cybersecurity disclosure regulations by charging four publicly traded companies for disseminating misleading information regarding cybersecurity risks and actual breaches. These charges stemmed from an investigation into the notorious 2020 cyberattack on SolarWinds Corporation’s Orion software platform, which had far-reaching implications across various sectors.
Background of the SolarWinds Incident
The SolarWinds cyberattack, which came to light in December 2020, was a sophisticated supply chain attack that compromised the software used by thousands of organizations, including government agencies and Fortune 500 companies. Hackers infiltrated the Orion platform, allowing them to access sensitive data and systems across a wide range of industries. The incident highlighted vulnerabilities in cybersecurity practices and raised questions about the adequacy of corporate disclosures regarding cyber risks.
SEC Findings and Charges
The SEC’s investigation revealed that each of the charged companies had learned about the SolarWinds-related intrusions into their systems in either 2020 or 2021. However, in their public disclosures made in 2021 and 2022, these companies downplayed the severity of the attacks, thereby misleading shareholders and the investing public. The SEC alleged that these actions violated Section 13(a) of the Securities Exchange Act of 1934, which mandates accurate reporting by public companies.
The companies involved agreed to settle the charges with varying civil penalties:
- Company A: $990,000 civil penalty for failing to disclose the extent of encrypted credentials accessed.
- Company B: $1 million civil penalty for inaccurately reporting the scope of the attack, claiming only a limited number of email messages were accessed when over 100 files were compromised.
- Company C: $995,000 civil penalty for providing generic descriptions of cyber risks in its annual reports, despite being aware of the intrusion.
- Company D: $4 million civil penalty for discussing hypothetical future risks while knowing it had already experienced two intrusions. This company also faced additional charges related to its disclosure controls and procedures.
The SEC’s Stance on Cybersecurity Disclosures
The SEC has consistently emphasized that public companies, even if they are victims of cyberattacks, must not mislead their shareholders through vague or inaccurate disclosures. The agency reiterated its guidance from 2011 and 2018, which cautioned companies against framing known risks as hypothetical when they have already materialized. This guidance is particularly relevant in the context of the increasing sophistication and frequency of cyberattacks.
The Evolving Landscape of Cybersecurity Threats
Since the SolarWinds incident, the landscape of cybersecurity threats has evolved dramatically. Ransomware attacks have surged, becoming one of the most common forms of cyber threats faced by organizations. High-profile incidents, such as the 2023 MoveIt vulnerability and the June 2024 CDK Global attack, have underscored the risks associated with vendor relationships and supply chain vulnerabilities. These attacks can have cascading effects, compromising not just individual companies but entire sectors of the economy.
New SEC Cybersecurity Disclosure Rules
In response to the growing threat of cyberattacks, the SEC adopted new cybersecurity disclosure rules in July 2023. These rules impose stricter requirements for reporting material cybersecurity incidents. Under the new regulations, companies must disclose any material cybersecurity incident within four business days of determining its materiality. This shift aims to enhance transparency and ensure that investors are adequately informed about the risks facing their investments.
Challenges in Compliance
While the new rules aim to improve disclosure practices, they also present unique challenges for companies. Ransomware attacks, in particular, complicate the assessment and communication of incidents, as organizations often prioritize recovery and restoration of operations over immediate reporting. Similarly, incidents involving third-party vendors can hinder accurate reporting due to limited access to compromised networks and information.
Conclusion
The SEC’s recent actions against the four companies serve as a stark reminder of the importance of transparency in cybersecurity disclosures. As cyber threats continue to evolve, public companies must prioritize robust disclosure practices and ensure compliance with SEC regulations. By doing so, they can protect their shareholders and maintain trust in the integrity of their operations. Organizations are encouraged to review their disclosure controls and procedures to ensure they are equipped to handle future cybersecurity incidents effectively.