Arnold & Porter Discusses Growing Cybersecurity Oversight by SEC and Shareholders
Protecting against data breaches, hacks and cyber threats is an unwelcome but necessary reality for businesses today. In addition to vigilantly guarding against attacks, companies must consider the possibilities of litigation and investigations that can stem as a result of such events. State attorneys general, the Federal Trade Commission, the Department of Health and Human Services Office of Civil Rights, and other federal and state agencies have each investigated companies that have been the victim of a cyberattack. Now, businesses must also take into account whether failing to prepare for cyber threats exposes them to investigations or enforcement actions undertaken by the Securities and Exchange Commission or to litigation brought by shareholders.
On October 16, 2018, the SEC's Division of Enforcement, in consultation with the Division of Corporation Finance and the Office of the Chief Accountant, issued a Section 21(a) report on investigations into nine unnamed publicly traded companies from various industries, each of which fell victim to a "business email compromise" scheme.
Employees at each of these companies received fraudulent emails that purported to come from a company executive or vendor. The emails from "fake" executives asked company finance employees to work with purported outside counsel, identified in the email, to wire transfer money to a foreign bank account for a time-sensitive transaction. The emails spoofed email domains and addresses to make them appear to come from a company executive. The emails also contained real law firm and attorney names for added "authenticity."
The emails from the "fake" vendors consisted of perpetrators hacking a vendor's email account. These perpetrators then sent company employees falsified invoices from the hacked account with a request that the company send payment for services to a specific foreign bank account controlled by the perpetrators.
In total, the nine companies investigated by the SEC lost nearly $100 million to the schemes. The money has not been recovered. According to the FBI, these type of "business email compromises" have caused more than $5 billion in losses since 2013.
Although the SEC decided not to pursue enforcement actions against any of the nine companies, it issued a Section 21(a) report "to make issuers and other market participants aware that these cyber-related threats of spoofed or manipulated electronic communications exist and should be considered when devising and maintaining a system of internal accounting controls as required by the federal securities laws." The Commission's report thus makes clear that companies that fail to have the proper internal controls to limit such threats may be in violation of their obligations under Section 13(b)(2)(B).
This report from the SEC follows on the heels of other recent actions taken by the Commission and shareholders. In February 2018, the SEC issued guidance on public company cybersecurity disclosures. The guidance emphasizes the SEC's belief "that it is critical that public companies take all required actions to inform investors about material cybersecurity risks and incidents in a timely fashion, including those companies that are subject to material cybersecurity risks but may not yet have been the target of a cyber-attack." To that end, the guidance stresses that companies must develop effective disclosure controls and procedures. It also emphasizes that "directors, officers and other corporate insiders must not trade a company's securities while in possession of material nonpublic information, which may include knowledge regarding a significant cybersecurity incident experienced by the company."
The guidance was not mere rhetoric. In April 2018, the SEC fined Yahoo (now trading as Altaba Inc.) $35 million for failing to disclose a 2014 data breach until March 2016. And, in March and June 2018, the SEC charged former employees of Equifax for insider trading in connection with the announcement of the company’s September 2017 data breach.
The SEC is not solely concerned with how publicly traded companies address cybersecurity. In September, the SEC charged Voya Financial Advisors with violating the Safeguards Rule and the Identity Theft Red Flags Rule. The Safeguards Rule requires that broker-dealers, investment companies and investment advisers "adopt written policies and procedures that address administrative, technical and physical safeguards for the protection of customer records and information." The Identity Theft Red Flags Rule requires the same types of entities to adopt written policies and procedures that are meant, among other things, to detect, prevent and mitigate identity theft.
The enforcement action stemmed from events that occurred in 2016, when individuals called Voya's support line pretending to be contractors for the company. These individuals requested that Voya reset their contractors' passwords. They then used the new passwords to gain access to the personal information belonging to thousands of Voya customers to create new online profiles, and to obtain access to account documents of three Voya customers. According to the SEC, Voya's policies and procedures to protect customer information were outdated and "not reasonably designed" to provide such protection. In addition to a $1 million penalty, Voya agreed (without admitting or denying the Commission's findings) to be censured and to retain an independent consultant to evaluate its policies and procedures for compliance with the Safeguards Rule and the Identity Red Flags Rule.
In addition to the actions taken by the SEC, shareholders in recent years have also brought an increasing number of both cybersecurity-based class actions alleging violations of the federal securities laws and shareholder derivative suits alleging companies’ boards of directors failed to take adequate steps to prevent cyber incidents. A few examples include the following matters:
- Yahoo settled for $80 million a suit brought by shareholder alleging that it traded stock at artificially high prices while it failed to disclose data breaches that had occurred.
- After Equifax announced that it had been the victim of a cyberattack, shareholders brought suit against the company and certain directors and officers for alleged false or misleading statements about Equifax's data security measures.
- Shareholders brought a suit against PayPal alleging that the company downplayed the extent of a security breach experienced by its payment processor, which plaintiffs alleged caused artificially high stock prices.
To limit the risk of falling victim to a cyber threat and exposure to an SEC enforcement action or a shareholder suit, businesses subject to SEC oversight should consider the following steps, among others:
- Devise and maintain internal accounting controls that focus on the evolving cybersecurity threats companies face. This includes implementing (1) policies and training to ensure employees are aware of "business email compromise" schemes and (2) safeguards that make the transfers of funds in response to similar requests impossible without further internal review.
- For those businesses subject to the SEC's periodic reporting requirements, disclose as part of the discussion of risk factors the probability of the occurrence and potential magnitude of cybersecurity incidents; the adequacy of preventative actions taken to reduce cybersecurity risks; and the aspects of the business and its operations that give rise to material cybersecurity risks.
- Disclose material cybersecurity incidents that have occurred accurately and in a timely manner.
- Ensure there are policies and procedures in place so that key information that might otherwise be known only to those charged with day-to-day responsibility for cybersecurity—such as the chief technology officer or information technology team—is shared with those involved in the company's financial statement disclosures.