Double-Edged Disclosure: Navigating 10-K Season with the SEC’s New Cybersecurity Disclosure Rules
Public companies are now required to comply with new cybersecurity disclosure requirements in their Annual Reports on Form 10-K for fiscal years ending on or after December 15, 2023. In preparing this cybersecurity disclosure, companies face the difficult task of balancing competing risks. Over-disclosure of specific defense strategies or vulnerabilities could prove dangerous, leaving the company open to attack by opportunistic malicious actors. At the same time, companies must provide accurate disclosures that meet the Security and Exchange Commission’s (SEC) requirements, especially in light of the SEC’s ongoing enforcement action against SolarWinds Corp. Understandably, companies also want to demonstrate their competence in this increasingly important area to investors.
On July 26, 2023, the SEC approved final rules governing cybersecurity disclosures in Annual Reports on Form 10-K.1 Under Item 106 of Regulation S-K, public companies must disclose the following within their Annual Reports on Form 10-K for fiscal years ending on or after December 15, 2023:
- a description of their processes for assessing, identifying, and managing material cybersecurity risks;
- a discussion of whether risks from cybersecurity threats, including as a result of previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect them;
- a description of the board of directors’ oversight of risks from cybersecurity threats (including identifying any board committee or subcommittee responsible for such oversight); and
- management’s role and expertise in assessing and managing cybersecurity risks.
Companies will need to take several factors into consideration in seeking to prepare the “Goldilocks” of cybersecurity disclosure this annual reporting season — not too open and yet covering all the bases.
New Era of Enforcement and Litigation Relating to Cybersecurity Disclosures
While preparing their cybersecurity disclosures, companies should be aware of the recent SEC enforcement activity in this space.
On October 30, 2023, the SEC sued SolarWinds Corp., a software company, and its Chief Information Security Officer (“CISO”), accusing both of defrauding the company’s investors and customers through intentionally misrepresenting the company’s cybersecurity processes, as well as known risks and vulnerabilities.2 The SEC alleges that SolarWinds disseminated these misrepresentations in public statements on its website and in public filings, including its Registration Statements on Forms S-1 and S-8 and in other periodic reports, between October 2018 and January 2021. The SEC alleges that SolarWinds and its CISO were aware, as evidenced by internal communications and documents, that at the time of disclosure, SolarWinds was not in fact practicing the disclosed cybersecurity measures and that its current processes were subject to serious risks.3
For example:
- SolarWinds’ Security Statement claimed overall compliance with the widely used National Institute of Standards and Technology Cybersecurity Framework, while internal assessments revealed that SolarWinds was in fact receiving scores of 0 or 1 (out of 5) in multiple key areas;4
- The Security Statement also claimed that SolarWinds was following a “Secure Development Lifestyle” (“SDL”) — a process designed to standardize security best practices — but internal emails said otherwise. For example, one email to senior managers stated, “I’ve gotten feedback that we don’t do some of the things that are indicated in the [Security Statement SDL Section]”; however, SolarWinds never amended the Security Statement;5 and
- SolarWinds further claimed that it enforced certain protocols for its password security, including that passwords were encrypted at rest. Additional internal emails, however, revealed that many passwords were not encrypted but rather “stored in plain text on the public web server in the web configuration file and in the system registry of the machine.”6
Moreover, the SEC argues that the disclosures omitted SolarWinds’ and its CISO’s knowledge that SolarWinds “was not only being specifically targeted for a cyberattack, but the attackers had already gotten in.”7 SolarWinds did not file a Form 8-K with the SEC disclosing that it had been victim of a cyberattack until December 14, 2020. By that point, nearly two years had passed since hackers first breached its network. The threat actors began inserting malicious code into SolarWinds’ software, and over the next several months, this malicious code went out to nearly 18,000 customers.8
The SolarWinds enforcement action breaks new ground in two ways. For the first time, the SEC has alleged that a company has intentionally, rather than negligently, deceived customers through its cybersecurity disclosures. Moreover, for the first time, the SEC has brought an individual enforcement suit against a corporate officer in a cybersecurity disclosure case. According to SEC Director of Enforcement Gurbir Grewal, this enforcement action will not be a one-off. At a securities conference in October 2023, Director Grewal stated that more enforcement actions against individual corporate officers could be brought in the future: “If the CISO was involved in the disclosure process and had a certain level of awareness about certain facts that led him to know that those disclosures were inaccurate, then I think it’s fair game, regardless of title.”9
The SEC’s case against SolarWinds also exemplifies the SEC’s increasing focus on disclosure of generic or hypothetical cybersecurity risk factors that do not accurately address specific, known risks. In its amended complaint, the SEC accused SolarWinds of only disclosing a hypothetical cyber risk — its potential “inability to defend against unanticipated techniques” — when in reality, the company was already aware of current, existing risks and incidents and that “it was not taking adequate steps to protect against anticipated and known risks.”10
SolarWinds is not the only company that the SEC has sued for failing to disclose known and existing cybersecurity risk factors. In 2019, the SEC charged Facebook, Inc. for disclosing that the “risk of misuse of data” was “merely hypothetical when Facebook knew that a third-party developer had actually misused Facebook user data.”11 Facebook agreed to pay $100 million to settle the charges. Additionally, in 2021, the SEC brought charges against Pearson plc12 and First American Financial Corporation13 for the same reason: disclosing only hypothetical cybersecurity risks when specific risks and breaches already existed.
Recommendations for Form 10-K Cybersecurity Disclosures
With the rise of SEC enforcement actions and litigation, Form 10-K cybersecurity disclosures should be accurate, up to date, and compliant with the disclosure requirements. Companies should avoid making three key mistakes: oversharing, overpromising, and not acknowledging current risks and prior incidents.
First, companies should avoid revealing too much detailed information about their cybersecurity processes, as doing so may create a roadmap for malicious actors to breach the systems of the company or those of their customers. For example, companies will want to avoid disclosing the specific names of their vendor applications, identifying specific areas of vulnerabilities in their cybersecurity process, or identifying large stores of valuable information. This may be difficult to accomplish in practice, as companies will want to demonstrate compliance with the requirements of the new disclosure rules and will have to craft their bespoke disclosure without specific guidance. For example, it may be perfectly fine to disclose that the company uses multifactor authentication, but we would not recommend that the company disclose that it uses Google Authenticator as its multifactor authentication tool.
Second, companies should not overpromise in their disclosures and thereby expose the company and its C-suite to potential SEC enforcement action. For example, statements that a company will “remain at the forefront of the industry best practices,” and those to similar effect, should be avoided. While this may be true for certain companies at certain points in time, absolute statements of this kind are easily disproven and could even be false at the time of reporting due to previously undiscovered or unreported cybersecurity incidents. This is not the place for bragging.
Third, companies often include generic and hypothetical risk scenarios in their cybersecurity risk factors. However, disclosing generic and hypothetical risk factors when cybersecurity risks have in fact materialized can lead to enforcement action and litigation risk, as noted above. A risk that has come to fruition is not hypothetical. Companies should therefore carefully consider whether any of the risks referenced in their cybersecurity risk factors have materialized and update their disclosure language accordingly. Those familiar with the space understand that cybersecurity threats are hard to discover and even harder to diagnose. Seemingly immaterial incidents may gain significance as additional facts emerge. Information within an organization may stall before making its way to key decisionmakers. Post-SolarWinds, these circumstances can create significant exposure for both companies and their leadership teams.
Vinson & Elkins will continue to monitor emerging cybersecurity and disclosure trends and to assist companies in navigating this fast-moving space. Vinson & Elkins helps companies navigate complex issues through all stages of risk assessment, cybersecurity policy development and implementation, incident response, and resulting government investigations and litigation.
1 The SEC also adopted new Item 1.05 to Current Reports on Form 8-K, obligating reporters to disclose any material cybersecurity incidents within four business days after determining an incident is material.
2 Complaint, S.E.C. v. SolarWinds Corp., No. 23-cv-9518 (S.D.N.Y Oct. 30, 2023) (Dkt. No. 1).
3 Amended Complaint, S.E.C. v. SolarWinds Corp., No. 23-cv-9518 (S.D.N.Y Feb. 16, 2024) (Dkt. No. 85) (“Amended Complaint”) at 2–11.
4 Id. at 24–34.
5 Id. at 34–46.
6 Id. at 49–54.
7 Id. at 5.
8 Amended Complaint at 9, 80
9 Jessica Corso, SEC Enters New Cyber Era In Case Against Solar Winds, Exec, Law360 (Nov. 2, 2023 10:10 PM EDT), https://www.law360.com/articles/1739501/sec-enters-new-cyber-era-in-case-against-solarwinds-exec.
10 Amended Complaint at 4–5.
11 Press Release, U.S. Sec. & Exch. Comm’n, Facebook to Pay $100 Million for Misleading Investors About the Risks It Faced From Misuse of User Data (July 24, 2019), https://www.sec.gov/news/press-release/2019-140.
12 Press Release, U.S. Sec. & Exch. Comm’n, SEC Charges Pearson plc for Misleading Investors About Cyber Breach (Aug. 16, 2021), https://www.sec.gov/news/press-release/2021-154#:~:text=The%20Securities%20and%20Exchange%20Commission,the%20theft%20of%20millions%20of
13 Press Release, U.S. Sec. & Exch. Comm’n, SEC Charges Issuer With Cybersecurity Disclosure Control Failures (June 15, 2021), https://www.sec.gov/news/press-release/2021-102.
Key Contacts
Related Insights
- InsightNovember 22, 2024
- Event RecapNovember 14, 2024
This information is provided by Vinson & Elkins LLP for educational and informational purposes only and is not intended, nor should it be construed, as legal advice.