October 22, 2024
What happened?
On October 22, 2024, the SEC announced charges against four current and former public companies for “making materially misleading disclosures regarding cybersecurity risks and intrusions,” according to a SEC press release. The SEC’s charges originate from an investigation of public companies that were potentially impacted by the compromise of SolarWinds’ Orion software and additional similar activity.
All four companies were fined under the Securities Act of 1933 and the Securities Act of 1934 and agreed to pay the penalties without admitting or denying the SEC’s findings. The companies and associated penalties are as follows:
According to the SEC, these companies learned that the threat actor likely responsible for the SolarWinds breach also accessed their systems. However, they did not accurately report the incident to customers and shareholders. Some companies were noted as using misleading or false statements that diminished the true scope of the incidents.
Unisys described the breach as hypothetical despite knowing that at least two cyber incidents had occurred. The SEC further found that Unisys’ material misleading disclosures stemmed from deficient disclosure controls.
Avaya disclosed that a threat actor had accessed only a “limited number” of email messages despite knowing the threat actor accessed 145 files in their cloud file sharing environment.
CheckPoint was aware of the intrusion, however, described it and associated risks in generic terms.
Mimecast did not disclose the nature of the code or number of encrypted credentials that were accessed by the threat actor.
In the press release, Sanjay Wadhwa, Acting Director of the SEC’s Division of Enforcement, reminded companies that while they may be the target of cyberattacks, it is important to not make matters worse for their stakeholders by providing misleading or inaccurate disclosures regarding the incident.
Jorge G. Tenreiro, Acting Chief of the Crypto Assets and Cyber Unit, further stated, “Downplaying the extent of a material cybersecurity breach is a bad strategy. In two of these cases, the relevant cybersecurity risk factors were framed hypothetically or generically when the companies knew they had warned of risks that had already materialized”.
What does this mean for me?
Although the charges above involve public companies, investment advisers and other financial institutions should take note of the lessons learned when notifying clients of a data breach. Currently, breach notifications are primarily governed by state laws for investment advisers. In addition to these requirements, the recently adopted amendments to Regulation S-P will require broker-dealers, investment companies, and registered investment advisers to comply with certain requirements, including providing customer notification as soon as practicable, but no later than 30 days after becoming aware that unauthorized access to or use of customer information has occurred or is reasonably likely to have occurred, except under certain limited circumstances.
Based on the charges above, it is clear that the SEC expects firms to provide sufficient and timely disclosures to the relevant stakeholders. We anticipate that the SEC will apply a similar approach in reviewing notices provided under the Regulation S-P amendments. In the event a service provider experiences a breach involving personally identifiable information, Amended Regulation S-P requires that advisers have reasonable basis for believing that they will be notified of such a breach within 72 hours. As firms prepare for compliance with the Regulation S-P amendments, advisers should ensure their Incident Response Plan and Program adequately addresses disclosures regarding an incident and takes into account all relevant regulations (including state and federal). Larger entities (RIAs with $1.5 billion or greater in AUM) must comply with Regulation S-P amendments by December 2025. Smaller entities must comply with Regulation S-P amendments by June 2026.
Fairview Cyber specializes in helping firms meet SEC cybersecurity requirements and expectations, including the development of incident response plans. If you have any questions, or if you need any assistance with your compliance or SEC cybersecurity program, let us know, and one of our regulatory experts will contact you soon.