TheCorporateCounsel.net

If you’re looking for a good resource to anticipate “macro-level” questions your directors might ask you in the coming year (in addition to new regulatory reforms), Cleary Gottlieb is out with its “Selected Issues for Boards of Directors in 2025.” This year’s edition covers 13 topics over the course of 74 pages – ranging from AI, non-competes, tax risks, trade controls, disclosures about executive security and equity grant policies, enforcement, shareholder activism, Delaware issues, UK & EU capital markets, and more.

On the topic of cyber disclosures, some people are wondering whether companies will be getting more of a pass under the new regime. Earlier this week, Acting SEC Chair Mark Uyeda reiterated previous arguments against the SEC’s climate disclosure rule when directing a pause in the agency’s defense of that rule. Similar to the climate disclosure rule, Commissioner Uyeda – as well as Commissioner Hester Peirce criticized the SEC’s decision to adopt the cyber disclosure rules – and both Commissioners have also dissented from some recent cyber-related SEC enforcement actions. Unlike climate disclosure, though, the cyber disclosure rules aren’t being challenged in court. And the Cleary team suggests that although the SEC enforcement environment may shift, companies should still pay attention to how their cybersecurity risks and processes are described in public disclosures. Here’s an excerpt:

Looking to the future, the recent dissents by the Republican Commissioners indicate a likelihood of agency focus shifting to a less granular concept of materiality in disclosures. We expect the SEC will focus on situations like that in Flagstar, where there is potential for investor harm, rather than dissecting post-incident reports and company processes.

That being said, under the last Trump Administration, the SEC brought a number of blockbuster cyber incident disclosure cases against Yahoo and others, which, combined with the new rules, behooves registrants to pay attention to disclosure and related policies and procedures.

The Flagstar settlement – which the SEC announced in mid-December – involved alleged materially misleading statements about a breach. Specifically, the SEC’s order said:

This matter concerns materially misleading statements that Flagstar negligently made regarding a cybersecurity attack on Flagstar’s network between November 22, 2021 and December 25, 2021 (the “Citrix Breach”), which resulted in, among other things, the encryption of data, network disruptions, and the exfiltration of the personally identifiable information (“PII”) of approximately 1.5 million individuals, including customers, on December 3 and 4, 2021. The risk factors in Flagstar’s 2021 Form 10-K, which it filed on March 1, 2022, stated that cybersecurity attacks “may interrupt our business or compromise the sensitive data of our customers,” but Flagstar did not disclose that Flagstar had already experienced cybersecurity attacks that resulted in the exfiltration of sensitive customer data and that the Citrix Breach interrupted its business.

In a June 17, 2022 notice to customers posted on its website (“Customer Website Notice”) and a Form 10-Q filed on August 9, 2022, Flagstar also made materially misleading statements concerning the scope of the Citrix Breach and represented that there was unauthorized “access” to its network and customer data, when Flagstar was aware that the breach disrupted several of its network systems and that customer PII was exfiltrated from its network. Flagstar also failed to maintain disclosure controls and procedures as defined in Exchange Act Rule 13a-15(e).

It’s worth noting that Commissioner Uyeda did not vote in favor of the order, and that Commissioner Peirce approved it with exception as to the Rule 13a-5 charge and the penalty.

If you’re covering cyber issues with your board, my blog from last month on putting board oversight of cybersecurity into action might also be helpful.

– Liz Dunshee