Now that we’ve taken a look at the SEC’s biggest moments of the year, it’s time to turn to another big subject. With 2017 coming to a close, it’s only appropriate that we review a topic that dominated our blog over the past year: cybersecurity. As we wait for the SEC to issue updated guidance around cybersecurity risk factor disclosure, here is a recap of some of the most important cyber-events of 2017:
Will Facebook, Google Security Breaches Prompt Better Risk Factor Reporting? (May 18): Data breaches at Google and Facebook that cost the tech giants millions got us wondering about public reporting of cybersecurity as a risk factor. The companies eventually recouped their losses, but we noted that it was interesting that “neither company disclosed the breaches as ‘risk factors’ in their respective SEC filings while the investigations’ countermeasures were underway.”
Ransomware Attack Puts New York Regs in Spotlight (June 29): In March, New York implemented novel cybersecurity regulations that, among things, required “the banks and insurers subject to them appoint a Chief Information Security Officer by August 2017.” In June, we wrote: “as the second major ransomware attack in two months spreads around the world, the groundbreaking cybersecurity rules introduced by the state’s Department of Financial Services (DFS) are looking like a sound idea — and, possibly, like a viable model for other states to follow.”
SEC’s Cybersecurity Enforcement Juxtaposed Against Clayton Initiatives for Deregulation (July 18): Reading tea leaves left by the newly installed co-directors of the SEC’s Division of Enforcement, Stephanie Avakian and Steven Peikin, we wrote: “Firms should expect cybersecurity enforcement and examination activity to continue under the new administration… The extent to which the SEC, and Clayton himself, feel that cybersecurity overlaps with the need to make things easier on Main Street investors remains to be seen.”
FedEx 10-K Details Ransomware Attack on TNT Express (July 27): After a subsidiary of FedEx was hit was a ransomware attack, the company’s 10-K offered additional insight on the damage “Petya” had wrought. FedEx acknowledge that while the company has “significant security processes and initiatives in place, we may be unable to detect or prevent a materials breach or disruption in the future.” Speaking of the ransomware, it said that “it is likely that the financial impact will be material.”
Cybersecurity Starts at Home for the SEC (Aug. 17): Just as it released a report on the cybersecurity preparedness of the nation’s financial advisors, the SEC was having its own cybersecurity practices examined. A GAO report issued in July noted that the agency “did not always fully encrypt sensitive information, used unsupported software, failed to fully implement an intrusion[-]detection system and made missteps in how it configured its firewalls.”
Equifax Faces Tough Questions After Massive Cyberbreach (Sept. 12) Announced in late summer, Equifax discovered an intrusion on July 29, exposing sensitive information of up to 143 million Americans. To add the appearance of impropriety to the insult of the breach already imposed, it was revealed three Equifax senior executives sold shares worth almost $1.8 million in the days after the company discovered a security breach. The company released a statement clearing the executives of any wrongdoing saying the trade was completed before they had been informed of the breach.
SEC’s EDGAR Cyberbreach Leads to More Questions (Sept. 21): Things only got more uncomfortable for the SEC on cybersecurity. Our lede said it all: “U.S. Securities and Exchange Commission Chairman Jay Clayton is under fire after releasing a statement late on Sept. 20 that focused more on the regulator’s efforts to promote effective cybersecurity practices, and in the same breath issuing a startling revelation: EDGAR, the Commission’s Electronic Data Gathering, Analysis and Retrieval system had been compromised in 2016.” Although Clayton had not yet taken over the reins of the SEC when the breach occurred, he said, “we believe the intrusion did not result in unauthorized access to personally identifiable information, jeopardize the operations of the Commission, or result in systemic risk.”
SEC Rolls Out Cyberbreach Enforcement Initiative as Clayton Answers Senate Inquiry (Sept. 28): With questions swirling, the SEC then announced two separate enforcement initiatives: “First, the creation of an SEC cyber unit will target “cyber-related misconduct,” and second, a retail strategy task force will implement initiatives that directly affect retail investors.” The SEC announcement came one day before Clayton was scheduled to testify before a Senate panel, in which he told elected officials that he learned of the data breach at the agency “belatedly” and that it could still take quite a bit of time before the full extent of the intrusion is understood.
Will Recent Data Breaches Impact the 2018 Filing Season? (Nov. 28): After a parade of high-profile data breaches continued throughout 2017, we wondered whether the SEC would issue new guidance around cybersecurity risk factor disclosure. “It’s understood that a significant cyber breach must be included under Item 8.01 of Form 8-K,” we wrote, “beyond that, however, issuers have complained that the agency’s guidance remains murky.”
Looking back, it’s clear the Equifax breach – the biggest breach to date – will have possible ramifications felt not only by investors but also everyday consumers. The event puts a strong light on the need to act when it comes to the new world of cybersecurity breaches. However, less clear, even by the end of 2017, were the circumstances under which public companies must disclose cybersecurity as a risk factor. In 2018, those companies will no doubt be hoping for fewer breaches and greater regulatory certainty.