Issue link: https://digital.shearman.com/i/1425392
Shearman & Sterling LLP Cybersecurity | 12 The SEC's First Cyber Disclosure Case In April 2018, the SEC brought a case against Yahoo! for failing to disclose a data breach that compromised the personal data of millions of users. The SEC order stated that Yahoo! failed to disclose the existence of the data breach and its potential business impact and legal implications in periodic filings, instead including only general statements about the potential risk from cybersecurity attacks and incidents. This was the first cybersecurity disclosure case, and it goes to the heart of the interpretive guidance issued by the SEC. The first version of the SEC's cybersecurity guidance was issued in 2011, and the SEC limited "enforcement" of the guidance to issuing comment letters that pushed companies to rethink cybersecurity disclosures. Bringing a case focused on inadequate cybersecurity disclosures demonstrated the SEC's increasing concern about the potential risks and impacts of cyber attacks and its sense that investor protection demanded more robust, timely and specific disclosures. The SEC also found a failure of Yahoo!'s disclosure controls and procedures due to the fact that the existence and risk of cybersecurity breaches were not properly and timely reviewed by those responsible for making disclosure decisions, which reflected a timely reinforcement of the February 2018 interpretive guidance. Cybersecurity and Internal Controls In October 2018, the SEC issued a report outlining an investigation of a number of companies focused on a series of "business email compromises." Each of the companies included as part of the report received spoofed electronic communications purporting to originate from a company executive or vendor, which triggered the companies to transfer large sums or pay falsified invoices to accounts controlled by the perpetrators of the scheme. In the investigation, the SEC considered whether the companies violated federal securities laws by failing to have sufficient internal accounting controls. Public companies are required to devise and maintain a system of internal accounting controls sufficient to provide reasonable assurances that transactions are executed with, or that access to company assets is permitted only with, management's general or specific authorization. As part of its report, the SEC made it clear that public companies "must calibrate their internal accounting controls to the current risk environment and assess and adjust policies and procedures accordingly" and that "all public companies have obligations to maintain sufficient internal accounting controls and should consider cyber threats when fulfilling those obligations." WHAT THE SEC IS DOING NOW? New SEC Rules Coming Currently, there is no affirmative obligation mandating specific disclosure requirements related to cybersecurity, so the SEC, as described above, has used existing disclosure obligations, like risk factors and board oversight of risk, and general concepts of materiality as a basis to assert to public companies that cybersecurity should be addressed as part of these disclosures. There have, however, been calls for specific disclosure requirements, including from Congress. 1 The SEC, in the past, has relied on interpretive guidance as the basis to encourage companies to disclose information about the actual and possible cybersecurity risks faced and how they think about managing the risk. For some, the weakness of the guidance is simply that it is just guidance. Although most companies take SEC disclosure guidance seriously, without a clear disclosure requirement, the concern is that companies can craft their own disclosures, and investors are not provided with consistent disclosure. Investors cannot easily evaluate cyber-preparedness and risk management across public companies. As the frequency and scope of the cybersecurity attacks have increased, the calls for action by the SEC have grown. There are, however, limits as to what the SEC can mandate from a public company, which is largely bounded by requiring disclosures related to cybersecurity and using enforcement tools focused on disclosures and internal controls to drive focus on cybersecurity matters. The SEC has announced that it expects to propose new rule amendments to "enhance issuer disclosures regarding cybersecurity risk governance." Although we do not know exactly what that means, we expect that the rule will ask companies to affirmatively discuss how management addresses cybersecurity and how cybersecurity risk is addressed in the board's overall assessment of risk management. The new rule could also require a discussion 1 There are have been a number of pieces of legislation that have been introduced in the House of Representatives and the Senate over the last few years seeking to direct the SEC to adopt rules related to cybersecurity disclosures. For example, S. 808 – Cybersecurity Disclosure Act of 2021, which would require the SEC to adopt rules that would mandate disclosure in the proxy statement regarding the expertise on the board related to cybersecurity.