In this post from June 28, 2021, we reviewed an SEC enforcement action focused on the relationship between cybersecurity risks and disclosure controls and procedures. This relationship was emphasized in the SEC’s February 26, 2018 Release, Commission Statement and Guidance on Public Company Cybersecurity Disclosures:
“Crucial to a public company’s ability to make any required disclosure of cybersecurity risks and incidents in the appropriate timeframe are disclosure controls and procedures that provide an appropriate method of discerning the impact that such matters may have on the company and its business, financial condition, and results of operations, as well as a protocol to determine the potential materiality of such risks and incidents.”
On August 16, 2021, less than two months after the June case, the SEC announced another cybersecurity-related enforcement involving failure to make appropriate disclosures about a breach and the related lack of necessary disclosure controls and procedures.
You can read the details in this Press Release and the related SEC Order. According to the SEC the company, an educational publisher, learned in March 2019 that:
“…millions of rows of data stored on the AIMSweb 1.0 server had been accessed and downloaded by a sophisticated threat actor using an unpatched vulnerability on this server.”
Further, according to the SEC Order, even though an actual breach had occurred, the company referred to the risk as hypothetical in its mid-year report:
“In its July 26, 2019 report furnished to the Commission, (the company’s) risk factor disclosure implied that (the company) faced the hypothetical risk that a “data privacy incident” “could result in a major data privacy or confidentiality breach” but did not disclose that (the company) had in fact already experienced such a data breach.”
According to the Press Release, in a July 2019 statement, released after the company had been contacted by the media about the breach, it indicated that “the breach may include dates of births and email addresses.” When the company released this statement, it knew that this information had been breached. In addition, the statement said the company had “strict protections” in place. In reality, it had failed to patch the critical vulnerability behind the breach for six months after a vendor notified it about the problem.
The company’s share price fell by 3.3% after this announcement. The SEC Order discusses various considerations in determining the materiality of the breach, including this statement in paragraph 11:
“The breach at issue was material because (the company’s) business, including but not limited to AIMSweb 1.0, involved collection and storage of large quantities of private data on school-age children around the world.”
Disclosure controls and procedures were directly addressed in this part of the SEC Order:
“(The company’s) processes and procedures around the drafting of its July 26, 2019 Form 6-K Risk Factor disclosures and its July 31, 2019 media statement failed to inform relevant personnel of certain information about the circumstances surrounding the breach. Although protecting student and user data is critical to (the company’s) business, and (the company) had identified the potential for improper access to such data as a significant risk, it failed in this way to maintain disclosure controls and procedures designed to analyze or assess such incidents for potential disclosure in the company’s filings.”
The message in this case is clear. Companies must assure that cybersecurity breaches are communicated in the disclosure process and carefully evaluated for materiality and disclosure to investors.
As always, your thoughts and comments are welcome!