The U.S. Securities and Exchange Commission recently has cracked down on companies it deems to have breached securities laws by making inadequate cybersecurity disclosures, and it’s expected to continue to pursue enforcement activity.
To avoid SEC actions, experts advise that companies establish clear internal communications strategies on cybersecurity issues and examine their directors and officers liability insurance and cyber liability policies to determine whether they have adequate coverage if the issue arises.
Some recent examples of the SEC’s stepped-up cyber disclosure actions include:
- On June 15, without admitting or denying the SEC’s findings, Santa Ana, California-based First American Financial Corp., a title insurance services company, agreed to pay a $487,616 penalty for allegedly failing to disclose a cybersecurity vulnerability.
- On June 21, the SEC said London-based educational publishing company Pearson PLC agreed to pay $1 million to settle charges it misled investors about a 2018 intrusion.
- The agency also said in June it was launching a probe in connection with the December 2020 SolarWinds Corp. attack.
- The SEC, which had issued guidance on cybersecurity disclosures in 2018, said in its Spring 2021 Regulatory Flexibility Agenda it intends to issue rules on cybersecurity disclosure.
Many experts expect the agency to continue to pursue the issue. “They have made that clear,” said Alexander H. Southwell, a partner with Gibson Dunn & Crutcher LLP in New York, who co-chairs the firm’s privacy, cybersecurity and data innovation practice group.
“It is, frankly, part of the reality of cyberattacks in the economy today,” and part of a broader administrative response to the issue, Mr. Southwell said.
The SEC’s enforcement actions with both First American and Pearson “show us that the SEC is out of patience with companies that fail to implement the kind of internal controls that would allow a company to be inaccurate in its disclosures,” said Priya Cherian Huskins, San Francisco-based partner and senior vice president at broker Woodruff Sawyer & Co.
The agency will likely become even more aggressive in the future, said John Farley, New York-based managing director of Arthur J. Gallagher & Co.’s cyber liability practice. “As time goes on, the SEC is going to have less tolerance for organizations that don’t take the basic steps to protect sensitive data,” he said.
With more aggressive SEC action a possibility, companies should develop incident response plans that include how to deal with a vulnerability’s discovery before it becomes an intrusion, then make sure the infrastructure is in place to address that vulnerability, said Matthew McLellan, Marsh LLC’s Washington-based U.S. D&O practice leader.
Tamara D. Bruno, a partner with Pillsbury Winthrop Shaw Pittman LLP’s insurance recovery practice in Houston, said companies should make sure they “fully understand their own cybersecurity environment and that they are communicating regularly” with those who can bridge the communication gaps between those who implement cybersecurity and those who implement disclosures.
“Essentially, it boils down to companies needing to know what is mission-critical to their organizations,” and preventing a cyber event that will shut them down, said Tom Finan, director, cyber practice, for Willis Towers Watson PLC in Washington.
If there is a cyber incident, companies should be careful about their disclosures and make sure they are comprehensive, said Thomas O. Gorman, a partner at Dorsey & Whitney LLP in Washington.
A well-constructed D&O policy should cover investigation costs, said William Boeck, senior vice president, U.S. financial lines claims practice leader and global cyber product and claims leader for Lockton Cos. LLC in Kansas City, Missouri. It is unlikely that the coverage will extend to fines and penalties, although there are some specialized products available, he said.
A cyber liability policy could respond to an SEC investigation, depending on the policy’s wording, “but there’s a big caveat to that, and that is that cyber policies typically exclude non-privacy-related fines,” he said.
Most cyber policies also have exclusions for security-related claims, which may become an issue if there are more SEC enforcement actions, Mr. Boeck said.