Yesterday, the SEC announced that it settled charges against a title insurance company for alleged disclosure controls and procedures violations in connection with a cybersecurity vulnerability. The issue here was that alleged inadequate disclosure controls and procedures resulted in management not having all relevant information about the vulnerability when it assessed the company’s disclosure response and the magnitude of the resulting risk. Although the company’s information security team performed a security assessment of one of its applications and identified the vulnerability, it then allegedly didn’t inform the company’s senior IT management of the vulnerability or remediate it in accordance with company policies until several months later. The SEC’s press release provides a summary:
According to the SEC’s order, on the morning of May 24, 2019, a cybersecurity journalist notified First American of a vulnerability with its application for sharing document images that exposed over 800 million images dating back to 2003, including images containing sensitive personal data such as social security numbers and financial information. In response, according to the order, First American issued a press statement on the evening of May 24, 2019, and furnished a Form 8-K to the Commission on May 28, 2019. However, according to the order, First American’s senior executives responsible for these public statements were not apprised of certain information that was relevant to their assessment of the company’s disclosure response to the vulnerability and the magnitude of the resulting risk. In particular, the order finds that First American’s senior executives were not informed that the company’s information security personnel had identified the vulnerability several months earlier, but had failed to remediate it in accordance with the company’s policies. The order finds that First American failed to maintain disclosure controls and procedures designed to ensure that all available, relevant information concerning the vulnerability was analyzed for disclosure in the company’s public reports filed with the Commission.
‘As a result of First American’s deficient disclosure controls, senior management was completely unaware of this vulnerability and the company’s failure to remediate it,’ said Kristina Littman, Chief of the SEC Enforcement Division’s Cyber Unit. ‘Issuers must ensure that information important to investors is reported up the corporate ladder to those responsible for disclosures.’
Without admitting or denying the findings in the SEC’s order, First American agreed to cease and desist from violations of Exchange Act Rule 13a-15 and to pay a $487,000 penalty. This action relates to disclosure controls and procedures but the cybersecurity connection is interesting since cybersecurity risk governance is among the items listed in the latest SEC Reg Flex Agenda.
Following recent high-profile cyberattacks involving SolarWinds, Colonial Pipeline and others, the White House issued a memo to executive business leaders urging companies to take immediate actions to help protect not only companies themselves, but also customers and the broader economy. The memo follows the Executive Order signed by the President in May that was intended to strengthen the federal government’s cybersecurity defenses.
Among other recommendations, the White House memo urges businesses to adopt the five best practices outlined in the President’s Executive Order, including multifactor authentication, endpoint detection, endpoint response, encryption, and a skilled, empowered security team. In additional to operational and technical matters, this Jenner & Block memo includes a couple of helpful reminders for legal teams:
Importance of a Multi-Functional Team: Cybersecurity and information protection are broad efforts encompassing many different skills within a company. Legal counsel should be included in the team to advise about the application of relevant laws, regulations, and policies, and to prepare for potential litigation and enforcement actions.
Importance of Legal Privilege: Companies should consider how to maximize the application of legal privilege to internal factfinding efforts that are designed to address potential legal exposure from cybersecurity and data protection rules.
Recently, Deputy Attorney General Lisa Monaco also spoke up about increased risk of ransomware attacks, urging disclosure and cooperation with the FBI. This CNBC piece provides a summary of her remarks.
Tune in tomorrow for our webcast – “Cyber, Data & Social: Getting in Front of Governance” – to hear Melissa Krasnow of VLP Law Group, Lisa Beth Lentini Walker of Lumen Worldwide Endeavors, Sue Serna of Serna Social and Heidi Wachs of Stroz Friedberg/Aon discuss what boards need to know about cyber, data & social – risks & opportunities, monitoring new threats, managing compliance with changing laws & different jurisdictions, social media oversight, director liability issues and more!
We will apply for CLE credit in all applicable states for this 1-hour webcast. You must submit your state and license number prior to or during the program. Attendees must participate in the live webcast and fully complete all the CLE credit survey links during the program. You will receive a CLE certificate from our CLE provider when your state issues approval; typically within 30 days of the webcast. All credits are pending state approval.
No registration is necessary – and there is no cost – for this webcast for our members. If you are not yet a member, sign-up now to access the program. You can sign up online, send us an email at info@ccrcorp.com – or call us at 800.737.1271.
Yesterday, the SEC announced that Renee Jones will serve as Corp Fin’s next Director. Renee most recently served as Professor of Law and Associate Dean for Academic Affairs at Boston College Law School, where she taught courses in corporations, securities regulation, startup company governance, and financial regulation. Previously, she represented private and public companies on corporate and securities matters at Boston law firm, Hill & Barlow. Coming in from academia isn’t entirely new, as John Coates was a long-time academic when he was appointed as the Division’s Acting Director, but traditionally the head of Corp Fin has been a practitioner.
Along with Renee’s appointment, after having served as Corp Fin’s Acting Director since February 2021, John Coates was named SEC General Counsel. Both appointments are effective June 21st.
It’s hard to believe it’s been a year since Marty passed away. In this podcast, Dave Lynn pays tribute to his great friend with a compilation of “greatest hits.” I hope you enjoy it as much as I did.
With news about cyber attacks seeming to crop up almost daily, considerations about potential ransomware attacks extend beyond information security officers. Alston & Bird recently issued a memo addressing considerations about ransomware attacks for the general counsel. Among other things, one of the items covered in the memo relates to how increased ransom payments have placed strains on the insurance industry. The memo warns that companies may encounter a more rigorous underwriting and renewal process than they’ve experienced in prior years.
Indeed, as companies seek to acquire new cyber-insurance policies or renew existing ones, the insurers’ enhanced diligence procedures may require additional disclosures or the implementation of new or more stringent cybersecurity procedures to meet the insurer’s standards. Policies can often require a checklist of specific security controls to be in place and periodically tested for effectiveness, for example, which are designed to mitigate the risk of ransomware.
Other insurers are taking different approaches. Just this week, one European insurer announced that it will no longer issue cyber-insurance policies in France that reimburse insureds for ransom payments.
There is also the risk that an insured company may find that its policy’s pre-approval process for the retention of outside counsel, forensic experts, ransom payment facilitators, and even the potential ransom payment itself is in tension with the company’s interest in a swift and immediate response to a ransomware event. The extent to which the policy includes recovery costs can pose an additional challenge if a policy does not treat expenses related to the forensic investigation, ransom payment itself (if applicable), and rebuilding affected systems as covered recovery costs.
Last year’s Rule 14a-8 amendments may or may not be here to stay. The Senate “fast-track” deadline under the Congressional Review Act – which could have undone the amendments – expired at the end of May, according to Daniel Pérez of the GW Regulatory Studies Center. Now though, Rule 14a-8 is among the items listed in the SEC’s new Reg Flex Agenda – which was posted Friday as part of a federal agency-wide reveal of the new Administration’s plans for rulemaking.
The Rule 14a-8 amendments are listed in the Reg Flex Agenda’s section for “proposed rulemaking” – targeting April 2022 for a proposal. Among other items included in the agenda’s proposed rulemaking stage, with some targeted to potentially come along quickly, are:
– Human Capital Management disclosure – October 2021
– Enhanced cybersecurity risk governance disclosure – October 2021
– SPACs – April 2022
– Proxy Voting Advice – April 2022
And, among items included in the pre-rule stage are the exempt offerings framework and gamification (out of the Division of Trading & Markets).
The SEC’s regulatory agenda is non-binding and doesn’t really mean a lot other than it identifies the SEC Chair’s priorities. Stay tuned, these agendas tend to change over time.
As for Rule 14a-8, the rule amendments adopted last fall remain intact and are currently effective – although the Commission adopted a transition period that says the final amendments first apply to any proposal submitted for meetings held on or after January 1, 2022. We’ll be following any Commission action or agency statements about the rulemaking closely and will be sure to blog about it.
To get up to speed on the Rule 14a-8 amendments before a shareholder proposal lands on your desk, check out our “Shareholder Proposals Handbook”- it’s been updated and incorporates the 14a-8 amendments, members can access it at no charge right here on TheCorporateCounsel.net.
Increased gender and ethnic diversity on public company boards is generally viewed positively. Nasdaq’s board diversity listing proposal has generated a bit of back and forth discussion as some have questioned the empirical research Nasdaq cited as justification for the proposal – John blogged back in April with one take on it and then Liz blogged about another take on it in May. Last week, the SEC issued a notice stating that it designated a longer period to consider Nasdaq’s proposed rule change. August 8 is the new date by which the Commission shall either approve or disapprove Nasdaq’s proposed rule change, as modified by Amendment No. 1.
Besides the back and forth that John and Liz blogged about, there’s been quite a number of comment letters about Nasdaq’s proposal and the Commission’s notice says it’s extending the period so it has sufficient time to consider the proposed rule change and the comment letters. And, for those reading the latest Reg Flex Agenda closely, you probably noted that corporate board diversity is among items listed in the proposed rulemaking stage, which includes an October 2021 target date.
With stakeholders continuing to look for disclosure about board diversity, we’re starting to see increased company disclosure. To help stakeholders compare disclosure practices, KPMG (along with the help of ESGauge) recently launched a free new tool that tracks disclosure about board diversity. Here’s the press release, which includes some initial findings and a link to the tool.
KPMG’s tool facilitates comparison of disclosure practices by sector, index (Russell 3000 and S&P 500) and company size. When preparing next year’s proxy statement disclosure about board diversity, this tool might help in-house counsel see how much companies in their industry and size range are disclosing about board and individual director diversity and related policies and help ensure their disclosure is keeping step!
For more board diversity info, Deloitte and the Alliance for Board Diversity recently released a 44-page report examining representation of women and racial/ethnic minorities on boards among Fortune 100 and Fortune 500 companies. See this Cooley blog for a recap of some of the report’s findings.
Big thanks to member Sundance Banks for alerting us to what appears to be a pretty widespread whistleblower hoax, and to others who have provided more background over the last few days, including WilmerHale’s Susan Muck & Kevin Muck. Many companies maintain an email inbox at which employees can submit concerns about accounting or compliance matters, in addition to their third-party ethics hotline. An anonymous gmail account has been pinging those inboxes with a message that starts like this:
Dear Ethics Committee,
I am a long-time employee, but for the purpose of this report, I request to remain anonymous. I also do not want to name the person this report is about, at least for the time being. I would like to bring to your attention an incident that happened a while back to see whether it warrants any action on my part.
My boss, whom I’ve worked with for years now, and in any respect had been a stand-up person I look up to, has confided in me about stock trading they’ve made the past year. He/She shared with me the fact that they’ve bought and sold a significant amount of [our company’s shares/one of our major business partner’s shares]. When I asked how often they traded and how much money did they earn, he/she just smiled and said: “let’s just say I know something others don’t. That’s what working in this company for __ years will get you”, indicating how long they worked in the company. A couple of days later, he/she called me to their office for a quick chat. We began talking about normal work affairs, but towards the end of the conversation, the boss asked me to close the door. When I did, he/she brought up the conversation about the stock trading again, telling me it’s probably for the best I don’t share this with anyone. I immediately responded that I didn’t and had no intention to do so. I also mentioned that this is not my business. The boss looked at me for a while and said that they knew they could count on me. They also mentioned that I am a very good employee and that he/she really appreciates me. The boss has been nothing but nice to me since then.
The message continues for a few more paragraphs and honestly seems pretty believable. But it quickly came to light as a scam when several companies contacted outside counsel about next steps, and the lawyers recognized that multiple clients were receiving very similar submissions. At least 25 companies have received this – the full number is likely much higher. Until Snopes starts debunking fake whistleblower messages, what should you do – or not do – if you receive this email or something like it?
1. Contact your outside counsel – a key takeaway here is that outside counsel can be very helpful in spotting commonalities that could be red flags.
2. Don’t respond until you’ve verified that the submission is legit – this is tricky, because whistleblower submissions typically trigger a cascade of policies & procedures, including prompt notification of directors and outside auditors, and responding to the whistleblower to get more information. But if you get this exact email, know that even regulators agree that it isn’t genuine and companies shouldn’t spend resources responding. They don’t want you engaging with potential criminals, if you can help it.
3. Don’t provide additional info to the whistleblower until you’ve verified that the submission is legit – again, this is delicate, but even responding with seemingly benign info could give the scammer points of contact in the legal, compliance or finance departments for future phishing schemes or illegitimate requests for money transfers.
4. Don’t download files or click on links – this version of the email doesn’t contain any files or links, but if you’ve already responded and received any sort of follow-up communication, don’t open it.
5. Alert your directors & auditors – this incident underscores the need for strong cybersecurity training and good email hygiene, and they should be on the lookout for scams.
6. Don’t forward the email – the scammer may be able to collect more email addresses if you do that. Copy & paste the content into a new message – or take a screenshot – if you need to share something that seems suspicious.
A very troubling aspect of this hoax – in addition to it coming at a time when the White House has warned all companies to be on high-alert about cybercrime – is that it undermines an important system that companies and regulators rely on to prevent wrongdoing. I don’t want to suggest in any way that you ignore whistleblower complaints – but in light of this, it’s probably worth doing a gut-check with outside counsel before responding. I’ve been told that regulators are also taking this incident very seriously.
Quick Poll: What’s the Fake Whistleblower’s Endgame?
Like a chain email that just won’t stop, or one of those Facebook “warnings” from 2009 that periodically recirculates for no apparent reason, the endgame here is a bit of a mystery. Vote for your favorite theory in this anonymous poll: