SEC Fines Company $3 Million for Allegedly Misleading Cyberattack Disclosures
Asserting that the company misstated the scope of data stolen in the cyberattack, the SEC provides a clear reminder that cybersecurity disclosures remain an agency priority.
On March 9, 2023, the U.S. Securities and Exchange Commission ("SEC") announced charges against a software company for allegedly misrepresenting the scope of a ransomware attack. In a settled administrative order, the SEC accused the company of violating Sections 17(a)(2) and (3) of the Securities Act and Section 13(a) of the Exchange Act and related rules. The company neither admitted nor denied the SEC's findings.
According to the SEC, the company discovered the attack in May 2020 and disclosed that the attacker did not access customer bank account information or social security numbers. Company personnel soon determined that this was inaccurate, but due to purported weaknesses in the company's disclosure controls and procedures ("DCP"), this information never reached senior management responsible for disclosures. Consequently, a Form 10-Q filed in August 2020 discussed the incident but allegedly failed to include this information. Instead, the company allegedly characterized the loss of such sensitive information as a prospective risk rather than one that had already occurred. The company ultimately disclosed the full scope of the attack in September 2020.
This case is substantively identical to the SEC's 2021 action against Pearson plc, which also involved alleged understatement of the scope of a cyberattack. Both cases also entailed alleged characterization of the risks of harm from cyberattacks as prospective. The civil penalty in the instant case, however, is three times larger.
Considering these cases together, the immediate takeaways for issuers are:
- Ensure that disclosures following a cyberattack are candid and complete and that DCP timely capture information from those responding to the attack; and
- Avoid using prospective language to describe risks of cyber events that have already happened.
Issuers should also expect the SEC to place greater enforcement emphasis on this space going forward; not only has the SEC proposed expansive new rules for disclosing cyberattacks, but it also has doubled the size of its Crypto Asset and Cyber Unit, the Enforcement Division group focused on this area. And given the increase in penalties between the two cases, it seems likely that the SEC will seek stronger sanctions in future cases.
Jones Day publications should not be construed as legal advice on any specific facts or circumstances. The contents are intended for general information purposes only and may not be quoted or referred to in any other publication or proceeding without the prior written consent of the Firm, to be given or withheld at our discretion. To request reprint permission for any of our publications, please use our “Contact Us” form, which can be found on our website at www.jonesday.com. The mailing of this publication is not intended to create, and receipt of it does not constitute, an attorney-client relationship. The views set forth herein are the personal views of the authors and do not necessarily reflect those of the Firm.