SEC’s Cyber Disclosure Expectations
While we all wait for the Securities and Exchange Commission to adopt new rules for cybersecurity disclosures later this week, we should also heed a recent speech from the SEC’s head of enforcement, where he outlined five principles that will guide how the agency thinks about corporate liability for cyber attacks.
Enforcement chief Gurbir Grewal gave his speech at the end of June at a conference about cyber resilience — and the very word on “resilience” is an important tell. Resilience is about maintaining business operations even after a cyber attack, which means that the attack has already happened. In other words, yes, corporations always have a duty to try to prevent cyber attacks; but when prevention fails, you still have another duty to be forthright in disclosing the attack to investors.
Those duties of disclosure were the subject of Grewal’s speech.
First, he said, when cyber attacks happen to publicly traded companies or other market participants, the SEC “considers the investing public to also be potential victims of those incidents.”
The SEC fully understands, he said, that the company’s foremost concern is to stop any damage and preserve the company’s long-term viability. That often means making decisions in the heat of the moment, and sometimes without a full picture of exactly what the attackers are doing.
Still, he said, “we cannot lose focus of the fact that those decisions directly impact customers whose [personal] or financial information has been compromised — and those decisions may also be material to investors in publicly traded companies. So in addition to ensuring that market participants are doing their part to prevent and respond to cyber events, our goal is to prevent additional victimization by ensuring that investors receive timely and accurate required disclosures.”
We should appreciate what Grewal is telling us here: that even while companies are suffering through a cyber attack against them, they still have a duty of care to both customers and investors. That provides the legal basis for the SEC to sanction companies when they ignore that duty of care — and the confusion of a cyber attack won’t be a sufficient excuse for said ignoring. You have been warned.
The Crucial Role of Policies
Grewal’s second enforcement principle was about policies. His words speak for themselves: “Firms need to have real policies that work in the real world, and then they need to actually implement them; having generic, check-the-box cybersecurity policies simply doesn’t cut it.”
Grewal then pointed to several recent SEC enforcement actions against broker-dealers and registered investment advisers, where those firms were sanctioned for deficiencies in their programs to prevent customer identity theft — programs that are required under Regulation S-ID, more commonly known as the Identity Theft Red Flags Rule.
Specifically, those firms had “written policies” that actually just regurgitated the language of Regulation S-ID itself. For example, J.P. Morgan instructed staff to “identify relevant red flags” and “respond appropriately to any red flags that are detected to prevent and mitigate identity theft.” Except, those policies didn’t explain how to identify or respond to those red flags.
This business of copying regulatory language into your policy manual and then declaring victory is a pet peeve with the SEC; I’ve seen numerous enforcement actions or regulatory examination reviews faulting companies for exactly this bad habit, both for cybersecurity and other issues such as AML or customer due diligence requirements. Grewal’s message here is clear: policies need to address the regulation’s objective and help employees understand what they must do in their daily work routines.
Along similar lines, Grewal’s third principle for cyber enforcement was that companies must regularly review and update all relevant cybersecurity policies to keep up with constantly evolving threats. “What worked 12 months ago probably isn’t going to work today, or at a minimum may be less effective,” he said.
As a bonus, Grewal also suggested (pro tip: it wasn’t really a suggestion) that companies pay attention to the SEC’s enforcement actions and other policy pronouncements on cybersecurity. “They clearly outline what good compliance looks like and where and how registrants fall short with their cybersecurity obligations,” he said.
Speaking About Cyber Incidents
Grewal’s last two enforcement principles warned companies about how they should behave after the attack happens, both internally and when disclosing details to the investing public.
For example, his fourth principle was that when an incident happens, “The right information must be reported up the chain to those making disclosure decisions. If they don’t get the right information, it doesn’t matter how robust your disclosure policies are.”
An excellent example of this issue (and one Grewal cited) is First American Financial Corp., a title insurance business busted by the SEC back in 2021 for poor cybersecurity disclosures. The company had suffered a breach, and senior executives knew that fact; but the IT team subsequently realized the breach was worse than realized, and they had not passed along that new fact to senior management. So investors were in the dark about this significant event until the media learned about it independently and then shotgunned the news all over the interwebs. Which is not the orderly, informed disclosure process the SEC wants to see.
And then Grewal’s fifth and final principle: zero tolerance for gamesmanship around the disclosure decision.
“Here I am talking about those instances where folks are more concerned about reputational damage than about coming clean with shareholders and the customers whose data is at risk,” Grewall said. “Companies might, for example, stick their head in the sand, or work hard to persuade themselves that disclosure is not necessary based on their hyper technical readings of the rules, or by minimizing the cyber incident.”
Again, we already have real-world proof of this principle in action. In 2021 the SEC fined education publisher Pearson Corp. for making misleading statements about a cyber breach. Specifically, Pearson first described the breach as attackers merely viewing personal customer data, when in fact the company knew the attackers had absconded with troves of that data. Then Pearson framed the lost data in hypothetical terms — “may include date of birth and/or email address” — when Pearson knew that roughly half the stolen records contained dates of birth and some 290,000 contained email addresses.
Why Is Grewal Telling Us This?
That’s easy: because the SEC is about to adopt new rules for expanded disclosure of cybersecurity risks and incidents. He is warning everyone now about what the Enforcement Division expects to see for appropriate risk management and fulsome disclosure of “material cybersecurity incidents” — or else your company might end up doing the walk of shame too, following First American, Pearson, and many others.
At least we can’t say we weren’t warned.