August 17, 2021
Hypothetical Cyber Risks: SEC Enforcement Gives a Million Dollar Reminder
Yesterday, the SEC announced a $1 million settlement related to “cyber breach” risk factor disclosures and inadequate disclosure controls & procedures. Here are more details:
The SEC’s order finds that Pearson made misleading statements and omissions about the 2018 data breach involving the theft of student data and administrator log-in credentials of 13,000 school, district and university customer accounts. In its semi-annual report, filed in July 2019, Pearson referred to a data privacy incident as a hypothetical risk, when, in fact, the 2018 cyber intrusion had already occurred. And in a July 2019 media statement, Pearson stated that the breach may include dates of births and email addresses, when, in fact, it knew that such records were stolen, and that Pearson had “strict protections” in place, when, in fact, it failed to patch the critical vulnerability for six months after it was notified.
The media statement also omitted that millions of rows of student data and usernames and hashed passwords were stolen. The order also finds that Pearson’s disclosure controls and procedures were not designed to ensure that those responsible for making disclosure determinations were informed of certain information about the circumstances surrounding the breach.
The Pearson action is the second cyber-related settlement out of the Enforcement Division’s Cyber Unit since mid-June. At that time, the Commission settled charges relating to alleged failures in disclosure controls & procedures, which resulted in management lacking the info they needed to make accurate disclosures. Just a few days later, the Enforcement Division initiated information requests relating to the SolarWinds cyberattack. So far, the dollar values of the settlements aren’t huge – but they’re sending a message: be transparent with your disclosures.
If you missed yesterday’s blog, I highlighted sample cyber disclosures – and insider trading considerations. Meredith reminded listeners during our recent webcast that if you have a cyber breach, you don’t just need to close your window, you also need to lock all the doors. The point is, take it seriously. The Enforcement Staff may not be cutting much slack. As always, we’ll be posting memos about the enforcement action and disclosure & governance considerations in our “Cybersecurity” Practice Area.
– Liz Dunshee