Issue link: https://digital.shearman.com/i/1425392
Shearman & Sterling LLP 13 | Cybersecurity of whether cybersecurity knowledge or experience is a skillset that is present on the board and/or whether the attribute is one for which the board looks for in new directors. In both cases, the rule could ask companies to disclose its approach to risk management and board composition, or explain why it has not considered cybersecurity in these two areas. Disclosure of cybersecurity risk management has been a consideration in proxy disclosures for some time. Although cybersecurity expertise is increasingly being cited as a factor in consideration of new director candidates, it has not been broadly adopted. If the rule mandates a discussion of cybersecurity experience in the proxy statement, many companies will be forced to consider it. For some companies, making a statement that its board does not need a person with cybersecurity expertise may not be palatable. Enforcement The SEC has stepped up its enforcement efforts in the cybersecurity area following the actions in 2018. Two cases in 2021, First American and Pearson signal a change in the approach the SEC is taking to cybersecurity enforcement. In the First American matter, First American suffered a cybersecurity attack, which compromised confidential, personal client information, but its information security personnel did not follow First American's escalation procedures, which resulted in a failure to inform the senior management responsible for disclosure of the incident until months after the attack. The SEC found that First American had deficient disclosure controls and procedures because there were not processes and procedures that would have resulted in individuals responsible for disclosure being informed of cybersecurity events to determine whether disclosure was necessary. What was interesting in this case was that the SEC did not find that First American had a disclosure violation. Unlike the Yahoo! case, where the SEC determined that Yahoo! omitted material disclosures in its periodic filings related to the cybersecurity events, the SEC's order against First American found a controls deficiency despite the absence of a finding of any misstatement or omission. In the Pearson matter, Pearson suffered a cybersecurity attack that resulted in a compromise of sensitive customer data. The SEC found that the statements that Pearson made about the cybersecurity incident after it occurred were misleading and omitted important information. For example, the SEC found that Pearson referred to a data privacy attack as a hypothetical risk in public reporting after the incident occurred but before it made public disclosure of the attack. Additionally, the SEC found that Pearson's statements after it announced the incident did not disclose the full scope of the types of customer information that was compromised. These findings are not unusual. They draw directly from the cybersecurity interpretive guidance and the comment letters issued by the SEC over the last several years. The SEC, however, also found that statements made by Pearson relating to the quality of its security protections were also misleading. In its public statements announcing the incident, Pearson said, "Protecting our customers' information is of critical importance to us. We have strict data protections in place and have reviewed this incident, found and fixed the vulnerability." These statements appear to be exactly what many companies would want to say when trying to weather the fallout from a cybersecurity attack, particularly one that involves the exposure of personal data of customers. Many companies try to reassure their customers, business partners and shareholders that they have things under control. The SEC concluded, however, in Pearson's case, that these statements were misleading.