Cybersecurity Disclosure and Enforcement Developments and Predictions

The SEC pursued multiple high profile enforcement actions in 2024, alongside issuing additional guidance around compliance with the new cybersecurity disclosure rules.

Together these developments demonstrate a continued focus by the SEC on robust disclosure frameworks for cybersecurity incidents. Public companies will need to bear these developments in mind as they continue to grapple with cybersecurity disclosure requirements going into 2025.

SEC Disclosure Rules and Guidance

The SEC’s cybersecurity disclosure rules became effective in late 2023, and 2024 marked the first full year of required compliance. The rules added Item 1.05 to Form 8-K,[1] requiring domestic public companies to disclose certain information within four business days of determining that they have experienced a material cybersecurity incident, including the material aspects of the nature, scope and timing of an incident and the material impact or reasonably likely impact of the incident on the company.

The SEC focused considerable effort on providing additional guidance on how it expects companies to comply with the cybersecurity rules. After observing developing practice for six months, the SEC staff published five additional Compliance and Disclosure Interpretations (C&DIs) in June 2024, clarifying certain points with respect to materiality determinations in connection with the rules.

Erik Gerding, the outgoing Director of the SEC Division of Corporation Finance, also issued two statements at the time relating to disclosure of cybersecurity incidents. One statement noted, in response to multiple companies filing Item 1.05 Form 8-Ks for incidents for which they had not yet made a materiality determination or that they had determined were not material, that in these circumstances, companies should instead disclose the incident under a different item of Form 8-K (for example, the catchall Item 8.01), to allow investors to more easily distinguish between incidents that have been determined to be material and those that have not.

Finally, the SEC issued comments to several companies that had filed Item 1.05 Form 8-Ks. The majority of these comments were issued to companies that, prior to the June 2024 guidance, had disclosed incidents under Item 1.05 that they had not determined to be material. Companies generally noted that they would consider that guidance going forward.

Enforcement

Cybersecurity incident response and related disclosures remained a priority for agency enforcement throughout the year. Notably, this year’s headline actions were brought based on conduct occurring prior to the new Form 8-K requirements taking effect. Additionally, the cases involved either no-admit, no-deny settlements or allegations that have not been tested at trial. For further discussion, see An Active Year in Enforcement, with Changes to Come.

Of particular note were a settled enforcement action in June against R.R. Donnelley (RRD), a Manhattan federal judge’s July decision granting in part and denying in part SolarWinds’s motion to dismiss certain charges relating to a well-known cyber attack in 2020, and more recent enforcement actions and settlements against companies that were victims of cyber attacks. While the SEC suffered a setback in the SolarWinds case, actions settled both before and after that decision demonstrated an appetite to aggressively pursue what the SEC perceived to be inadequate disclosure controls or potentially misleading post-incident disclosures.

R.R. Donnelley Settles Inadequate Security Alert Response Allegations

In July of 2024, business communications and marketing services company R.R. Donnelley & Sons Co. agreed to pay $2.1 million to resolve an SEC investigation into alleged deficiencies in RRD’s disclosure controls and internal controls, both related to a 2021 cyber attack. The SEC alleged that RRD did not allocate enough resources to manage alert monitoring reports produced by a contracted third party monitoring service and did not adequately instruct the service provider on escalation procedures.

Notably, the SEC was concerned with RRD’s failure to maintain cybersecurity procedures and controls designed to escalate relevant aggregated security alerts, in addition to confirmed incidents to management personnel and disclosure decision-makers in a timely manner. This focus on failure to escalate alerts casts a much wider net for disclosure controls relating to general anti-fraud provisions than incidents that would need to be escalated for consideration of whether disclosure is required under Form 8-K. With this in mind, registrants should analyze their entire incident response process to determine if controls and procedures are in place to not only detect material incidents and potential security events, but also to direct front line reviewers how to appropriately escalate such information and to consider the materiality of incidents in the aggregate.

The SEC also took issue with RRD’s capacity for responding to alerts. Highlighting a perceived inability to adequately manage the large volume of escalated alerts, the enforcement order alleged that “the staff members allocated to the task of reviewing and responding to these escalated alerts had significant other responsibilities, leaving insufficient time to dedicate to the escalated alerts and general threat-hunting in RRD’s environment.”[2] Registrants should consider whether their internal and external security teams have sufficient time and resources to dedicate to reviewing and potentially escalating alerts. Companies should be prepared to defend the adequacy of those staffing and resourcing decisions based on historical needs.

Dismissal of Most SEC Claims Related to SolarWinds

SolarWinds Corp. suffered a significant cyber attack dubbed “SUNBURST” that was discovered in December 2020. The attack corrupted the security of SolarWinds’ software products, resulting in subsequent security incidents that impacted SolarWinds customers, including the federal government, certain state governments and many Fortune 500 companies. The SEC filed a complaint against SolarWinds and its Chief Information Security Officer in October 2023, alleging they made false statements in violation of the antifraud provisions of the federal securities laws, by touting the strength of their cybersecurity practices in the period before they learned of the SUNBURST incident, and by misleadingly minimizing the extent of the intrusion after it was discovered. The SEC also accused SolarWinds of having such poor cybersecurity and incident reporting procedures that it constituted a violation of the internal controls and disclosure controls provisions of the securities laws.

In July 2024, a judge in the Southern District of New York dismissed the claims relating to the pre-incident media and disclosures, post-incident Form 8-Ks, disclosure controls, and internal controls. The only claim that the district court has permitted to proceed alleges that SolarWinds released a Security Statement that materially misrepresented their internal access controls. The SolarWinds decision leads to several important takeaways.

First, the decision strikes a blow against the SEC’s contention that cybersecurity controls are part of the system of internal control over financial reporting required by securities laws. The opinion contained persuasive logic that may frustrate an appeal or further attempts at this line of argumentation in future SEC actions. Consequently, the SEC may refocus their efforts towards disclosures and disclosure controls, as they have historically.

Second, the SolarWinds case serves as a reminder that companies can be liable in an enforcement action for public statements that are not contained in SEC filings and that may not even be intended for investors. Companies and boards of directors should be aware of what statements are made in marketing materials, security statements, ESG statements, and other public statements that are part of the “total mix of information” available to investors.

Third, courts may distinguish between highly general statements touting a strong cybersecurity posture, which may be dismissed as mere puffery that is not important to investors, and concrete statements about specific cybersecurity practices, which can give rise to a fraud claim if a company is not following those practices with consistency. Here, the order dismissed claims related to generic statements from SolarWinds that it “places a premium on the security of its products” and “makes sure everything is backed by sound security processes” while declining to dismiss claims related to statements such as SolarWinds’s representation that its “password best practices enforce the use of complex passwords that include both alpha and numeric characters.”

Fourth, the opinion highlights the importance of providing supplemental disclosures when the victim of a cyberattack determines additional material information about the incident. An additional Form 8-K filed by SolarWinds in January 2021 was cited in the opinion as evidence of the company’s lack of fraudulent intent regarding any possible prior material omissions. This point highlights the importance for companies to file follow-up disclosures after a cyberattack, as appropriate, as the SEC highlighted in the Form 8-K requirements.

Settlements With Victims of SolarWinds Attack

In October, the SEC announced settled enforcement actions charging four companies that experienced cyber intrusions due to utilization of infected SolarWinds software. All four companies were involved in IT services and experienced security incidents. The SEC alleged that two of the companies materially misled investors because they used the same generic risk factor disclosures about potential cyber attacks as they did before the breach. The other two companies did provide updated post-breach disclosures, but the SEC alleged these disclosures were misleading by omission, because the companies allegedly downplayed the extent of the intrusions by omitting details that would have been material to investors, such as the fact that the threat actor behind the breach was likely a state actor; the extent of the threat actor’s activity in each company’s environment; and the amount and importance of the code that was exfiltrated. When considered together with the SolarWinds opinion, these actions provide a few takeaways worth considering.

The SEC did not allege that any of the charged companies’ cybersecurity practices violated the Exchange Act’s internal controls provisions. It is unclear if this absence was due to policy change at the SEC after the SolarWinds ruling or merely a reflection of factual differences between by the situations. On the other hand, the SEC did allege failure to maintain proper disclosure controls against one of the companies, asserting that it had no procedures to ensure that, in the event of a known cybersecurity incident, information would be escalated to senior management. Notably, many months elapsed between when the intrusion was discovered by first line security alert reviews and when senior management was alerted. 

These actions against victims of cyber-incidents demonstrate the aggressive enforcement posture under Chair Gary Gensler’s SEC, despite losses on similar points on the motion to dismiss in the SolarWinds case. A dissenting statement by Republican Commissioners Hester Peirce and Mark Uyeda, who also dissented from the vote to bring the SolarWinds action, shed some light on how things may shift following the upcoming administration change. Calling this action “Monday morning quarterback[ing],” the Republican Commissioners argued that these actions were largely victim blaming, especially when the companies had disclosed the incidents and the SEC was nitpicking the quality of the disclosures. The dissent also argued that the statements or omissions at issue would not actually be material to a reasonable investor. We believe it is unlikely that these sort of cases will be brought under the new administration of Chair-nominee Paul Atkins, with the new administration focusing on violations of the new disclosure rules and actual investor harm.

Finally, the settlements indicate that the SEC will give heightened scrutiny to disclosures by companies in sectors such as information technology and data security, because in their view cybersecurity breaches are more likely to affect these companies’ reputation and ability to attract customers.

Flagstar Financial Settlement

The Flagstar Financial, Inc. settlement released on December 16, 2024, provides an indication of the type of cybersecurity case the SEC is more likely to focus on under the next administration.[3] In a no-admit/no-deny settlement in which Flagstar paid a $3.55 million penalty, the SEC alleged that Flagstar negligently made materially misleading statements regarding the late 2021 “Citrix Breach” that resulted in the encryption of data, network disruptions, and the exfiltration of personally identifiable information for approximately 1.5 million individuals. The SEC took issue with 2022 Flagstar filings representing that the company merely experienced unauthorized “access” to its network and customer data when in reality it was aware that the breach disrupted several network systems and exfiltrated sensitive customer data. The SEC also objected to the company repeating generic risk factor disclosures about the potential for experiencing hacks after the company was already aware of the cyber attack. Taken together, the SEC considered these notices to be misleading. Notably, the Republican Commissioners did not dissent from the Order. This case illustrates the type of cases the upcoming administration is more likely to pursue–those where investors or customers may have been harmed and post-incident disclosures are materially misleading both in downplaying incident severity as well as omitting critical facts.   

Conclusion

Companies should take care in deciding how and when to disclose cybersecurity incidents and in crafting disclosures about the potential impact of such incidents, including on Form 8-K and risk factor disclosure. Registrants will need to balance the SEC’s concern with over-disclosure under Item 1.05 with the risk of enforcement actions should they fail to disclose facts deemed by the SEC to be material. Given the guidance provided by the SEC, we generally expect registrants will err on the side of filing protective Item 8.01 Form 8-Ks for incidents they are concerned could turn out to be material, but before a definitive materiality conclusion has been reached, which has been the general practice following the SEC guidance in June. Registrants that file an 8-K under Item 1.05 without describing any actual or expected quantitative or qualitative material impact should be ready to explain to the SEC staff their materiality analysis and why they filed under Item 1.05 and not Item 8.01.

When preparing their disclosure, registrants should consider factors such as: whether the threat actor is likely affiliated with a nation-state; whether, or the extent to which, the threat actor persisted in the company’s environment; and whether the company should disclose not only the number of files or amount of customer data compromised, but also the importance of the files or data and the uses that can be made of them. If the company seeks to quantify the impact of the intrusion, the SEC will likely scrutinize whether the company selectively disclosed quantitative information in a misleading way. Additionally, if the company quantifies the impact of the intrusion but is aware of gaps in its investigation or in the available data that mean the severity of the impact could have been worse, the SEC may consider it misleading not to disclose those facts.

Looking to the future, the recent dissents by the Republican Commissioners indicate a likelihood of agency focus shifting to a less granular concept of materiality in disclosures. We expect the SEC will focus on situations like that in Flagstar, where there is potential for investor harm, rather than dissecting post-incident reports and company processes. That being said, under the last Trump Administration, the SEC brought a number of blockbuster cyber incident disclosure cases against Yahoo and others, which, combined with the new rules, behooves registrants to pay attention to disclosure and related policies and procedures.

[1] The final rules also amended Form 6-K to add “cybersecurity incidents” as a reporting topic for foreign private issuers.

[2] See “In the Matter of R.R. Donnelley & Sons Co.” (June 18, 2024), available here.

[3] See SEC Administrative Proceedings, “SEC Charges Flagstar for Misleading Investors About Cyber Breach” (December 16, 2024), available here.