Gensler Discusses Cybersecurity Under The Securities Laws - Technology - United States
SideBar
In 2018, the SEC announced that it had adopted long-awaited new guidance on cybersecuritydisclosure. With the increasing importance of cybersecurity and theincreasing incidence of cyber threats and breaches, the guidancecautioned, companies needed to review the adequacy of theirdisclosures regarding cybersecurity and consider how to augmenttheir policies and procedures to ensure that information regardingcybersecurity risks and incidents is effectively communicated tomanagement to allow timely decisions regarding required disclosureand compliance with insider trading policies. The guidancehighlighted the pervasiveness of, and increasing reliance bycompanies on, digital technology to conduct their operations andengage with customers and others. That made companies in allindustries vulnerable to the threat of cybersecurity incidents,such as stolen access credentials, malware, ransomware, phishing,structured query language injection attacks and distributeddenial-of-service attacks. Whether these incidents were aconsequence of unintentional events or deliberate attacks, the SECcautioned that they represented a continuous risk to the capitalmarkets and to companies, their customers and business partners, arisk that called for more timely and transparent disclosure.
The guidance built on Corp Fin's 2011 guidance on this topic (see this Cooley News Brief). In addition to adiscussion of disclosure obligations under existing laws andregulations, the 2018 guidance added in new discussions ofcybersecurity policies and procedures, particularly with respect todisclosure controls and procedures, and insider trading andselective disclosure prohibitions. The guidance urged companies toassess whether their disclosure controls and procedures capturedinformation about cybersecurity risks and incidents and ensuredthat it was reported up the corporate ladder to enable seniormanagement to make decisions about whether disclosure was requiredand whether other actions should be taken. According to theguidance, "[c]ontrols and procedures should enable companiesto identify cybersecurity risks and incidents, assess and analyzetheir impact on a company's business, evaluate the significanceassociated with such risks and incidents, provide for opencommunications between technical experts and disclosure advisors,and make timely disclosures regarding such risks and incidents. Thecontrols should also ensure that information is communicated toappropriate personnel to facilitate compliance with insider tradingpolicies." (See this Cooley Alert and this PubCo post.)
In 2018, the SEC also issued an investigative report under Section 21(a)that advised public companies subject to the internal accountingcontrols requirements of Exchange Act Section 13(b)(2)(B) of theneed to consider cyber threats when implementing internalaccounting controls. The report investigated whether a number ofdefrauded public companies "may have violated the federalsecurities laws by failing to have a sufficient system of internalaccounting controls." As described in the 21(a) report,Enforcement conducted investigations of nine listed publiccompanies in a range of industries that experienced cyber fraud inthe form of "business email compromises," which involvedperps sending spoofed or otherwise compromised electroniccommunications that purported to be from company executives orvendors. The perps then deceived company personnel into wiringsubstantial sums into the perps' own bank accounts. In theseinstances, each company lost at least $1 million, and two lost morethan $30 million for an aggregate (mostly unrecovered) loss ofalmost $100 million. And these weren't one-time only scams: inone case, the company made 14 wire payments over several weeks foran aggregate loss of over $45 million, and another company paideight invoices totaling $1.5 million over several months.
Although the SEC decided not to take any enforcement actionagainst the nine companies investigated, the SEC determined toissue the report "to make issuers and other marketparticipants aware that these cyber-related threats of spoofed ormanipulated electronic communications exist and should beconsidered when devising and maintaining a system of internalaccounting controls as required by the federal securities laws.Having sufficient internal accounting controls plays an importantrole in an issuer's risk management approach to externalcyber-related threats, and, ultimately, in the protection ofinvestors." Given our expanding reliance on electroniccommunications and digital technology for economic activity, thereport advised companies to "pay particular attention to theobligations imposed by Section 13(b)(2)(B) to devise and maintaininternal accounting controls that reasonably safeguard company and,ultimately, investor assets from cyber-related frauds." Inparticular, the report focused on the requirements of Section13(b)(2)(B)(i) and (iii) to "devise and maintain a system ofinternal accounting controls sufficient to provide reasonableassurances that (i) transactions are executed in accordance withmanagement's general or specific authorization," and that"(iii) access to assets is permitted only in accordance withmanagement's general or specific authorization." (See this PubCo post.)