Cybersecurity, Disclosure Controls and Enforcement (Oh My!)

The dramatic increase in ransomware and other cyber-attacks has made cybersecurity a top-of-mind topic. Disclosure controls and procedures (DCP), on the other hand, is likely not a top-of-mind issue for most companies.  In a June 14, 2021 Enforcement Release, the SEC reminded us that cybersecurity and DCP should both be towards the top of our risk management agendas.

This relationship between cybersecurity risk and DCP is not a new, out-of-the-blue development.  In its February 26, 2018 Release, Commission Statement and Guidance on Public Company Cybersecurity Disclosures, the SEC specifically reminded companies of their obligation to assure cybersecurity risks were appropriately addressed within DCP:

“Crucial to a public company’s ability to make any required disclosure of cybersecurity risks and incidents in the appropriate timeframe are disclosure controls and procedures that provide an appropriate method of discerning the impact that such matters may have on the company and its business, financial condition, and results of operations, as well as a protocol to determine the potential materiality of such risks and incidents.

Building on this foundational requirement, the Release provides this suggestion about DCP and communication of cybersecurity risks and incidents within a company:

In addition, the Commission believes that the development of effective disclosure controls and procedures is best achieved when a company’s directors, officers, and other persons responsible for developing and overseeing such controls and procedures are informed about the cybersecurity risks and incidents that the company has faced or is likely to face. …..Companies should assess whether they have sufficient disclosure controls and procedures in place to ensure that relevant information about cybersecurity risks and incidents is processed and reported to the appropriate personnel, including up the corporate ladder, to enable senior management to make disclosure decisions and certifications and to facilitate policies and procedures designed to prohibit directors, officers, and other corporate insiders from trading on the basis of material nonpublic information about cybersecurity risks and incidents.”

Highlighting the importance of DCP over cybersecurity risk, on June 15, 2021, the SEC announced a settled enforcement case where a company did not have appropriate cybersecurity-related DCP.  As you can read in the Press Release and related SEC Order, the SEC found that senior executives responsible for public statements related to a cybersecurity incident “were not apprised of certain information that was relevant to their assessment of the company’s disclosure response to the vulnerability and the magnitude of the resulting risk.”

According to the SEC Order, the company’s information security personnel detected a cybersecurity vulnerability in a key application that contained substantial amounts of customer data.  Senior management was not informed about the vulnerability or that it was not remediated in accordance with company policy.  Several months after the company discovered the vulnerability, a cybersecurity journalist notified the company that they had discovered the problem and that document images with sensitive customer information could be easily viewed on the internet.  Management responsible for communications with investors about this problem did not have information that should have been included in determining how to communicate to investors about this situation.

The Press Release includes this quote from Kristina Littman, Chief of the SEC Enforcement Division’s Cyber Unit:

“As a result of First American’s deficient disclosure controls, senior management was completely unaware of this vulnerability and the company’s failure to remediate it.  Issuers must ensure that information important to investors is reported up the corporate ladder to those responsible for disclosures.”

As always, your thoughts and comments are welcome!

Leave a Reply

Your email address will not be published.