Watch What You Say: SEC Enforcement Scrutinizes Cybersecurity Incident Disclosures

The facts at issue are relatively straight forward. On or about September 20, 2023 (after the SEC’s new cybersecurity disclosure rules were final, but before the rules required compliance as to disclosures), Ashford learned it had been hit with a ransomware attack. The threat actor locked down several critical servers, including the servers that were used to manage the day-to-day operations of 22 hotels within the Company’s network. The threat actors also exfiltrated 12 terabytes of data — a massive misappropriation of information. As is typical in a ransomware negotiation, the threat actor provided the Company with a list of files that it had extracted — a so-called “proof of life.” Those file names strongly suggested that the threat actors had taken sensitive hotel guest information, including driver’s licenses, bank account information, credit card numbers, and addresses. The SEC alleges, however, that the team handling the incident response did not share this information with employees in the departments responsible for the relevant servers, who would have better understood that those servers contained sensitive customer information. The Company ultimately received the encryption key from the threat actor and received assurances that exfiltrated data would be destroyed, presumably after paying a ransom.

On November 13, 2023, roughly two months after learning of the ransomware attack, Ashford disclosed the incident in its Q3 Form 10-Q:

During the quarter ended September 30, 2023, we had a cyber incident that resulted in the potential exposure of certain employee personal information. We have completed an investigation and have identified certain employee information may have been exposed, but we have not identified that any customer information was exposed. Systems have been substantially restored with minimal effect on certain hotel operations.

(emphasis added). The Company made a similar disclosure in its next three periodic reports filed with the SEC. The SEC alleged that the Company knew or should have known that customer information was exposed and thus was negligent in issuing the above disclosure. Notably, the SEC did not allege that the misstatement was intentional. The SEC’s complaint, filed in the U.S. District Court for the Northern District of Texas, charges the Company with violating Section 17(a)(3) of the Securities Act of 1933 and Section 13(a) of the Exchange Act of 1934 and Rules 12b-20, 13a-1, and 13a-13 thereunder. The SEC alleged that the Company failed to follow its own incident response plan and implies that this failure contributed to the Company’s alleged negligence. The SEC further alleged that the Company continued to make misleading disclosures even after it had voluntarily produced documents to the SEC that showed customer information was exfiltrated. The Company agreed to settle the SEC’s charges without admitting or denying the allegations. As part of the settlement, the Company agreed to an injunction against further violations of securities laws and a civil penalty of $115,231. This a relatively minor penalty, and reflects, as the SEC specifically noted its press release, Ashford’s assistance in the investigation.

This action reinforces the importance of a robust and comprehensive disclosure process that brings all relevant subject matter experts to the table, particularly in a time of crisis. The complaint also highlights the importance of accurate disclosures of cybersecurity incidents and illustrates the potential pitfalls of relying on incomplete or inadequate investigations of cyber incidents. The SEC expects companies to conduct thorough and timely investigations of cyber incidents and will reward cooperation with SEC inquiries and requests for information.

A cybersecurity incident is not just a technical or operational issue, but also a legal and compliance issue. Companies should have robust policies and procedures to prevent, detect, and respond to cyber incidents, and also to disclose them in accordance with the now applicable SEC rules. See Double-Edged Disclosure: Navigating 10-K Season with the SEC’s New Cybersecurity Disclosure Rules; SEC Finalizes Cybersecurity Laws for Public Companies: What’s New, What’s Not, and What’s Next; What Makes a Cybersecurity Risk or Incident Material? A Look at the SEC’s Proposed Rules on Cybersecurity.

As a reminder, the new SEC rules require:

• Disclosure via Form 8-K of any material cybersecurity incidents within four business days after determining an incident is material (subject to a national security or public safety exception as determined by the U.S. Attorney General).
• Disclosures in Form 10-K:
  • a description of a company’s processes (if any) for assessing, identifying, and managing material cybersecurity risks;
  • a discussion of whether previous cybersecurity incidents have materially affected or are reasonably likely to materially affect the registrant;
  • a description of the board of directors’ oversight of risks from cybersecurity threats; and
  • a description of management’s role and expertise in assessing and managing cybersecurity risks.

V&E’s Cybersecurity and Capital Markets teams regularly advise clients on cybersecurity and SEC disclosure issues.