January 16, 2025
Cybersecurity: Takeaways (& Surprises) From Latest SEC Enforcement Action
Earlier this week, the SEC announced settled charges based on disclosure a hospitality services company made about its investigation into a completed ransomware incident. Here’s more detail from the complaint:
[The company stated that the cybersecurity incident] resulted in “potential exposure of certain employee personal information.” Ashford went on to state, “[w]e have completed an investigation and have identified certain employee information that may have been exposed, but we have not identified that any customer information was exposed.”
Ashford, however, knew or should have known that, contrary to its public disclosures, customer information was exposed, because, as Ashford knew or should have known, the files exfiltrated in the September 2023 Cyber Incident did contain customer information, including but not limited to sensitive personally identifiable information (“PII”) and financial information for some of Ashford’s customers.
This will be one of the final – if not the final – cyber enforcement action announced under outgoing Chair Gary Gensler’s leadership, and we don’t know yet whether it will continue to be an area of focus. But for now, the settlement underscores the need to pay close attention to the details of any cybersecurity incident disclosure. Here are 4 reasons why:
1. The Enforcement Division pays attention to cyber disclosures, even if they are outside of the new(ish) line-item requirements. Here, the incident and initial disclosure occurred prior to compliance date for reporting material cybersecurity incidents on Form 8-K. The disclosures appeared in the company’s discussion of litigation proceedings in its periodic reports, as well as in a risk factor in the company’s Form 10-K. Following the initial disclosure, the Staff reached out to the company to request additional information, which the company voluntarily provided, but it also continued to repeat the disclosure in subsequent filings until August 2024, when it removed language that it had “not identified any customer information was disclosed” and stated that it had notified affected individuals.
2. The investigation really dug into the terms and execution of the company’s incident response plan, in order to determine whether the company “knew or should have known” that the disclosure was materially false and misleading. In this case, the SEC said that the file names in the list suggested that the files contained sensitive customer information. For example, hundreds of file names contained titles such as “guest incident report” and “guest folio” with a corresponding customer name and/or date of their stay. However, when the company contacted employees whose departments maintained those files and asked them whether they kept customer PII, they did not have them review the file trees for the compromised data and apparently did not involve the employees in the incident response plan. The SEC said that had the employees seen the file tree, they would have known there was PII, and that the company’s response was inconsistent with its incident response plan.
3. As support for its allegation that the statements were material, the SEC cited to risk factor disclosure that said, “protection of business partners, employees and company data is critically important to [it].” (In other words, in addition to ensuring your cyber disclosure is accurate, it’s also important to vet language in your risk factors to ensure that you aren’t overstating the importance of particular issues.)
4. The allegedly problematic disclosures first appeared in a Form 10-Q filed in November 2023, which wasn’t that long ago, and the company is no longer a registered issuer. The SEC investigated and settled these charges rather quickly and pursued the settlement even though the company deregistered. It assessed a modest penalty of $115k, which took into account the company’s cooperation. The company didn’t admit or deny the allegations.
Lastly, it was interesting to note the charges tied to equity awards and a Form S-8 registration statement. In addition to charges under Section 13(a) of the Exchange Act, the SEC brought a charge under Section 17(a)(3) of the Securities Act, which prohibits engaging in any transaction “which operates or would operate as a fraud or deceit upon the purchaser.” The charge seems to be based on the company’s grants of stock and deferred stock to its directors under an equity incentive plan registered on Form S-8. As we’ve noted previously in the July-August 2021 issue of The Corporate Counsel newsletter (and elsewhere), the SEC’s Enforcement Division isn’t shy about claims based on Form S-8 registration statements, but it may still come as a surprise to some people that this charge was in play when the only “purchasers” in this case were directors who presumably had full information.
Side note: In footnote 2 of the 2018 concept release on compensatory security offerings, the SEC shed light on the parameters of the “no-sale” theory for compensatory grants. I didn’t dig into the details of the restricted stock grants in the case at hand, but it appears the SEC considered the directors to be “purchasers” – which implies that the “no-sale” position was a “no-go.” So, remember to be cautious if you are ever looking to rely on that theory.
– Liz Dunshee