TheCorporateCounsel.net

October 23, 2024

Enforcement: More on “SEC Targets Cyber Disclosures” — The Dissent

Commissioner Peirce and Uyeda’s joint dissenting statement — taking the position that SEC is regulating by enforcement with these settlements and citing immaterial, undisclosed details to support the charges — is worth a standalone blog. First, it thoroughly discusses the disclosures and omissions the SEC considered to be problematic and why the Commissioners don’t believe these altered the ‘total mix’ of information.

With respect to Avaya, the Commission highlights “the likely attribution of the [cyberattack] to a nation-state threat actor” as an example of omitted material information. [I]n its 2023 rulemaking on cybersecurity incident disclosure (the “2023 Cybersecurity Rule”), neither investors nor the Commission expressed a view that the identity of the threat actor is material information … Not a single one of the 150-plus comment letters submitted on the proposal requested disclosure of the identity of the threat actor. …

Although the Form 8-K requirements for disclosing material cybersecurity incidents, which were adopted as part of the 2023 Cybersecurity Rule, did not yet apply to Mimecast, it filed three Form 8-Ks related to the intrusion of the Orion software on its network. In the third Form 8-K, Mimecast filed its three-page incident report for the cyberattack as an exhibit. Mimecast’s efforts to inform its investors would not be rewarded; the Commission finds fault with its disclosures. …

The Commission highlights Mimecast’s failure to disclose that “the threat actor had accessed a database containing encrypted credentials for approximately 31,000 [of 40,000] customers.” … Mimecast disclosed, without providing a percentage or number, that encrypted customer credentials had been accessed. …

With respect to disclosure of exfiltrated source code, Mimecast stated in its incident report that the threat actor had downloaded a “limited number” of its source code repositories but the company believed that the downloaded code was “incomplete and would be insufficient to build and run any aspect of the Mimecast service.” The Commission finds that these statements were materially misleading because Mimecast did not disclose that the threat actor had exfiltrated “58% of its exgestion source code, 50% of its M365 authentication source code, and 76% of its M365 interoperability source code, representing the majority of the source code for those three areas.” … Similar to the Avaya case, such information is “details regarding the incident itself” that do not need to be disclosed.

Next, the dissent highlights how the issues identified in the enforcement action may shape disclosure under Item 1.05 of Form 8-K.

Companies reviewing today’s proceedings reasonably could conclude that the Commission will evaluate their Item 1.05 disclosure with a hunger for details that runs contrary to statements in the adopting release. To avoid being second-guessed by the Commission, companies may fill their Item 1.05 disclosures with immaterial details about an incident, or worse, provide disclosure under the item about immaterial incidents. The Commission staff has already identified the latter practice as an issue, and today’s proceedings may exacerbate the problem.

Finally, do go read the full dissent for its detailed discussion of the enforcement actions involving hypothetical and generic risk factors — drawing parallels to portions of the SolarWinds case that were dismissed and raising concerns that bringing “hypothetical” risk factor charges may result in companies including immaterial, specific disclosures in risk factors just to avoid these types of charges.

Meredith Ervine