Featured Commissioner Roisman Talks Cybersecurity - Corporate/Commercial Law

Published on November 7th, 2021 📆 | 4410 Views ⚑

0

Commissioner Roisman Talks Cybersecurity – Corporate/Commercial Law

On Friday, in remarks before the
L.A. County Bar Association, SEC Commissioner Elad Roisman
addressed some of the challenges associated with cybersecurity and
cyber breaches and similar events. In his presentation, Roisman
considers cybersecurity in a variety of contexts, such as the
exchanges, investment advisers and broker-dealers, but his
discussion of cybersecurity in the context of public companies is
of most interest here. Although the SEC has imposed some
principles-based requirements and issued guidance about
cybersecurity disclosure, Roisman believes that there is more in
the way of guidance and even rulemaking that the SEC should
consider “to ensure that companies understand [the SEC’s]
expectations and investors get the benefit of increased disclosure
and protections by companies.”

Cyber threats cover a broad territory, Roisman explains: they
may involve “simple account intrusions that seek to steal
assets from an investor’s or customer’s accounts;
ransomware attacks that seek to disable business operations in
order to extract payments; and even acts of ‘hacktivism’
that disrupt services to make a political point.  Cyber events
can often be hard to detect, hard to measure quickly, and can
involve reporting obligations to multiple government agencies and
stakeholders.” 

While public companies have general disclosure obligations under
the securities laws, they may also have responsibility for
“taking measures to prevent and mitigate damage from these
threats.” Roisman observes that “it has become
increasingly important for market participants to work with counsel
and other experts on preparing for potential cyber-attacks before
they happen-that is, devising a plan for monitoring for cyber
threats, responding to potential breaches, and understanding when
information must be reported outside the company and to
whom.”

With regard to disclosure guidance, although there is currently
no explicit disclosure mandate regarding cybersecurity risks and
cyber incidents, Roisman observes, the SEC did issue guidance in
2018 that makes clear that companies may be obligated to
disclose these risks and incidents under Reg S-K and Reg S-X, which
require disclosure regarding risk factors, business and operations,
MD&A and other matters. A “necessary prerequisite” to
providing timely and adequate disclosure, according to Roisman, is
the adoption and implementation of effective disclosure controls
and procedures, which in turn rely on “engaged and informed
officers, directors and others.”

SideBar

In 2018, the SEC announced that it had adopted long-awaited new
guidance
 on cybersecurity disclosure. With the increasing
importance of cybersecurity and the increasing incidence of cyber
threats and breaches, the guidance cautioned, companies need to
review the adequacy of their disclosures regarding cybersecurity
and consider how to augment their policies and procedures to ensure
that information regarding cybersecurity risks and incidents is
effectively communicated to management to allow timely decisions
regarding required disclosure and compliance with insider
trading policies. The guidance highlighted the pervasiveness of,
and increasing reliance by companies on, digital technology to
conduct their operations and engage with customers and others. That
makes companies in all industries vulnerable to the threat of
cybersecurity incidents, such as stolen access credentials,
malware, ransomware, phishing, structured query language injection
attacks and distributed denial-of-service attacks. Whether these
incidents are a consequence of unintentional events or deliberate
attacks, the SEC cautioned that they represent a continuous risk to
the capital markets and to companies, their customers and business
partners, a risk that calls for more timely and transparent
disclosure.

In addition to a discussion of disclosure obligations under
existing laws and regulations, the focus of the guidance was on
cybersecurity policies and procedures, particularly with respect to
disclosure controls and procedures and insider trading and
selective disclosure prohibitions. The guidance urged companies to
assess whether their disclosure controls and procedures capture
information about cybersecurity risks and incidents and ensure that
it is reported up the corporate ladder to enable senior management
to make decisions about whether disclosure is required and whether
other actions should be taken. According to the guidance,
“[c]ontrols and procedures should enable companies to identify
cybersecurity risks and incidents, assess and analyze their impact
on a company’s business, evaluate the significance associated
with such risks and incidents, provide for open communications
between technical experts and disclosure advisors, and make timely
disclosures regarding such risks and incidents. The controls should
also ensure that information is communicated to appropriate
personnel to facilitate compliance with insider trading
policies.”  (See this Cooley Alert.)

Cybersecurity, Roisman notes, can also implicate internal
control over financial reporting, pointing to the SEC’s 2018 21(a) report regarding nine companies that were
victims of cyber fraud as a result of their employees’ wiring
funds to pay phony “invoices” in response to deceptive
electronic communications.

SideBar

As described in the 21(a) report, Enforcement conducted
investigations of nine listed public companies in a range of
industries that experienced cyber fraud in the form of
“business email compromises,” which involved perps
sending spoofed or otherwise compromised electronic communications
that purported to be from company executives or vendors.  The
perps then deceived company personnel into wiring substantial sums
into the perps’ own bank accounts.  In these instances,
each company lost at least $1 million, and two lost more than $30
million for an aggregate (mostly unrecovered) loss of almost $100
million. And these weren’t one-time only scams: in one case,
the company made 14 wire payments over several weeks for an
aggregate loss of over $45 million, and another company paid eight
invoices totaling $1.5 million over several months.

Although the SEC decided not to take any enforcement action
against the nine companies investigated, the SEC determined to
issue the report “to make issuers and other market
participants aware that these cyber-related threats of spoofed or
manipulated electronic communications exist and should be
considered when devising and maintaining a system of internal
accounting controls as required by the federal securities laws.
Having sufficient internal accounting controls plays an important
role in an issuer’s risk management approach to external
cyber-related threats, and, ultimately, in the protection of
investors.” Given our expanding reliance on electronic
communications and digital technology for economic activity, the
report advised companies to “pay particular attention to the
obligations imposed by Section 13(b)(2)(B) to devise and maintain
internal accounting controls that reasonably safeguard company and,
ultimately, investor assets from cyber-related frauds.” In
particular, the report focused on the requirements of  Section
13(b)(2)(B)(i) and (iii) to “devise and maintain a system of
internal accounting controls sufficient to provide reasonable
assurances that (i) transactions are executed in accordance with
management’s general or specific authorization,” and that
“(iii) access to assets is permitted only in accordance with
management’s general or specific authorization.” (See this PubCo post.)

And Roisman observes, Enforcement also “brought two notable
settled actions this summer involving public companies’
disclosures regarding cybersecurity incidents.” Here, Roisman
pointed to recent cases against  First American Financial
Corporation and Pearson plc.

SideBar

In June, the SEC announced settled charges against a real
estate settlement services company, First American Financial
Corporation, for violation of the requirement to maintain adequate
disclosure controls and procedures “related to a cybersecurity
vulnerability that exposed sensitive customer
information.” According to the SEC’s order, in May 2019, the company was advised by
a journalist that its “EaglePro” application for sharing
document images had a vulnerability that exposed “over 800
million title and escrow document images dating back to 2003,
including images containing sensitive personal data such as social
security numbers and financial information.” That evening, the
company issued a public statement and, on the next trading day,
furnished a Form 8-K to the SEC.  However, as it turns out,
the company’s information security personnel had already
identified the vulnerability in a report of a manual test of the
EaglePro application about five months earlier, but failed to
remediate it in accordance with the company’s policies. 
Importantly, for purposes of this case, they also failed to apprise
senior executives about the report, including those responsible for
making public statements, even though the information would have
been “relevant to their assessment of the company’s
disclosure response to the vulnerability and the magnitude of the
resulting risk.” The company was found to have violated the
requirement to maintain disclosure controls and procedures and
ordered to pay a penalty of almost a half million dollars. (See this PubCo post.)

Then, in August, the SEC announced settled charges against Pearson
plc, an NYSE-listed, educational publishing and services company
based in London, for failure to disclose a cybersecurity breach. In
this instance, it wasn’t just a vulnerability-there was an
actual known breach and exfiltration of private data.  As
described in the SEC’s Order, in September 2018, Pearson was advised
by one of its software manufacturers of a critical vulnerability in
its software and notified of the availability of a patch to fix it.
Pearson, however, failed to implement the patch.  In March
2019, the company learned that a “sophisticated threat
actor” used the unpatched vulnerability to access and download
millions of rows of data.  After the breach, Pearson
implemented the patch and engaged a consultant to conduct an
investigation, but “decided that it was not necessary to issue
a public statement regarding the incident.” Instead, Pearson
mailed a notice to its customer accounts and prepared a media
statement to have ready in case of media inquiry.  Nor did
Pearson disclose the breach in its Form 6-K risk factors, instead
leaving its previous cybersecurity risk factor-which described the
risk as purely hypothetical-unchanged. The SEC viewed that
disclosure as misleading and imposed a civil penalty on Pearson of
$1 million. (See this PubCo post.)

Finally, Roisman highlights the appearance on the SEC’s most
recent regulatory agenda of potential rulemaking regarding
cybersecurity. (See this PubCo post.) While he disclaims having
set eyes on any draft proposal, he has some ideas of his own that
he hopes to see in the anticipated proposal, including these
points:

“First, we need to define any new legal obligations
clearly.  Second, we need to make sure that these obligations
do not create inconsistencies with requirements established by our
sister government agencies.  Third, we should recognize that
some registrants have greater resources than others, and we should
not try to set the resource requirements for an entity.  And
finally, because issuers’ businesses vary, the
cybersecurity-related risks they face also will vary, and therefore
a principles-based rule would likely work best.”

In particular, Roisman emphasizes the importance of working with
other regulators, law enforcement and the national security
community to ensure that the proposal from the SEC would not
conflict with their mandates, such as an admonition against
disclosure by law enforcement or national security agencies. 
He also cautioned that any disclosure requirements should be
focused on eliciting material information and tailored to
avoid disclosure of a “roadmap for how to infiltrate a
registrant’s systems.”  

In conclusion, Roisman offers some ideas that companies could
consider undertaking right now.  For example, companies might
want to identify in advance experts that that they can call in the
event of a cyber-incident.  In his view, that type of effort
would show “prudence and diligence.” Another proactive
way to mitigate potential harm would be to conduct table-top
exercises. While these activities will not necessarily cover every
circumstance, “they offer a level of procedures and pro-active
measures that a company can undertake in recognition of this
potential risk.”

The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.

Source link

Tagged with:



Leave a Reply

Your email address will not be published. Required fields are marked *