On June 14, 2021, the US Securities and Exchange Commission (SEC) resolved charges against an issuer for violating disclosure controls and procedures related to a cybersecurity vulnerability that disclosed sensitive customer information. The charge of violating Rule 13a-15 (a) of the Securities Exchange Act of 1934 resulted in a fine of $ 487,616 for the issuer.
Under the SEC’s order, on May 24, 2019, a cybersecurity journalist notified the issuer of a cybersecurity vulnerability that exposed over 800 million images, some of which contained sensitive customer information, such as financial information and social security numbers. Notwithstanding the company’s press release issued on the same day the cybersecurity notice was received and a Form 8-K filed on May 28, the SEC accused the company of violating disclosure controls and procedural requirements. The SEC’s order identified material facts underlying the breach, namely that (1) the issuer’s information security personnel identified the same vulnerability months earlier but failed to address it in accordance with the issuer’s guidelines, and (2) those for the The issuer’s disclosures were not informed of any information relevant to their assessment of the disclosure response. As a result, the issuer has “failed to maintain disclosure controls and procedures designed to ensure that all available, relevant information about the disclosure vulnerability has been analyzed”.
Kristina Littman, Head of the Cyber ââUnit of the SEC Enforcement Division, stated, “Issuers must ensure that information that is important for investors on the career ladder is reported to those responsible for disclosure.” Rule 13a-15 requires issuers to have disclosure controls and maintain procedures to ensure that the information to be disclosed is recorded, processed, summarized and reported.
These charges reflect a February 26, 2018 Commission statement and guidance document on Public Company Cybersecurity Disclosures stating that an issuer must assess whether it has sufficient disclosure controls in place to ensure that relevant information about cyber incidents is being processed and appropriately reported for management to make disclosure decisions. It was further explained that “the disclosure controls and procedures of an issuer should not be limited to the explicitly required disclosure, but should also ensure the timely collection and evaluation of information” that may be relevant for the assessment of the risks and developments to be disclosed.
Organizations should remain aware of the requirements of disclosure controls and procedures and must continuously assess whether their disclosure controls and procedures are sufficient to adapt to the changing risks to which they are exposed. Policies should ensure that information about cybersecurity risks and incidents is processed and reported appropriately so that it can be disclosed. Issuers should reassess their current disclosure controls and procedures to avoid situations that could result in avoidable penalties and violations. If your company experiences a cybersecurity incident or receives a request from the SEC or any other government agency, we encourage you to seek help from an experienced legal counsel.