The consequences of a cybersecurity incident can be severe. The economic loss associated with an incident can often be compounded by reputational damage, loss of trade secrets, destruction of assets, operational impairment, lost revenue following the announcement of the cybersecurity incident and the expense of implementing remedial measures. The timing and content of any public communication about a suspected or confirmed cybersecurity incident can exacerbate this loss and have a significant impact on the trading price of the issuer’s securities. The disclosure considerations become even more complex when a company is subject to overlapping, and potentially conflicting, regulatory obligations in multiple jurisdictions, including the United States and the European Union (“EU”). This issue is now at the forefront with the EU’s new data security and privacy regime, the General Data Protection Regulation (“GDPR”), which became effective on May 25, 2018.
On April 24, 2018, Altaba, formerly known as Yahoo, entered into a settlement with the Securities and Exchange Commission (the “SEC”), pursuant to which Altaba agreed to pay $35 million to resolve allegations that Yahoo violated federal securities laws in connection with the disclosure of the 2014 data breach of its user database. The case represents the first time a public company has been charged by the SEC for failing to adequately disclose a cyber breach, an area that is expected to face continued heightened scrutiny as enforcement authorities and the public are increasingly focused on the actions taken by companies in response to such incidents. Altaba’s settlement with the SEC, coming on the heels of its agreement to pay $80 million to civil class action plaintiffs alleging similar disclosure violations, underscores the increasing potential legal exposure for companies based on failing to properly disclose cybersecurity risks and incidents.
Please click here to read the full alert memorandum.
On April 18, 2018, government officials and cyber industry experts gathered in Washington, D.C., for the 2018 Incident Response Forum addressing legal and compliance challenges that arise following a data breach. At the conference, representatives from the SEC, DOJ, FTC, and other federal and state enforcement agencies discussed their top data breach-related concerns and enforcement priorities. Representatives spoke in their own capacity and were not making official agency statements, but their opinions can provide useful insight into agencies’ decision making processes and substantive views. Continue Reading Regulators and Law Enforcement Discuss Cyber Enforcement Priorities and Urge Cooperation Following Data Breaches
In September 2017, the SEC announced the creation of a new Cyber Unit within the Enforcement Division. Commenting on the launch of the new unit, Enforcement Division Co-Director Stephanie Avakian described “[c]yber-related threats and misconduct” as “among the greatest risks facing investors and the securities industry.” This alert memorandum takes stock of the SEC’s cyber enforcement actions since the Cyber Unit was formed as well as other recent SEC enforcement actions, guidelines, and public comments that shed light on potential future SEC cyber-enforcement in areas such as insider trading, cryptocurrencies and ICOs, cyber-related disclosures and policies, and cybersecurity safeguards.
Please click here to read the full alert memorandum.
Following on the heels of the SEC’s updated interpretive guidance on cybersecurity disclosure, SEC Chairman Jay Clayton and SEC Commissioner Robert Jackson each recently made public statements underscoring the agency’s increasing focus on cybersecurity.
On March 12, 2018, Chairman Clayton stated that the SEC will closely monitor how corporations respond to the new interpretive guidance at a conference held by the Council of Institutional Investors. During an interview conducted by former Chairwoman Elisse Walter, Chairman Clayton said implementation of the interpretive guidance “will be a focal point for staff review” and that companies should work to determine their disclosure obligations under the current rules. Reiterating the interpretive guidance’s statement that the SEC expects companies to make disclosures “tailored” to their particular cybersecurity risks and incidents, Chairman Clayton stated that companies must put significant effort into determining their individual disclosure obligations under the current rules, meaning that “[r]eally good lawyering and governance is necessary.” Chairman Clayton also alluded to calls by certain SEC Commissioners for rulemaking requiring the disclosure of cybersecurity incidents in 8-K filings: “In terms of writing a rule, if you wanted to make it a specific 8-K requirement, the issue there is whether something is material,” said Chairman Clayton, adding “[i]t’s really a facts and circumstances situation, and it can vary from industry to industry and company to company.” Continue Reading SEC Officials Emphasize Close Monitoring of Cybersecurity Disclosures Following Release of Interpretive Guidance
In the first criminal charges brought in connection with the Equifax data breach, the United States Attorney for the Northern District of Georgia announced yesterday the indictment of Jun Ying, a former Chief Information Officer of a U.S. business division of Equifax, on charges of insider trading in violation of federal securities laws. At the same time, the SEC announced parallel civil charges against Ying. Both the indictment and the SEC complaint allege that Ying was not specifically informed that Equifax had been breached, but, as a result of his position, was made aware of enough confidential information to—according to his own contemporaneous text messages—“put 2 and 2 together” to infer that “[w]e may be the one breached.” After deducing this material information, Ying allegedly conducted internet research on the 2015 data breach of Experian, another major credit bureau, and its negative impact on Experian’s stock price. Immediately following his internet search, Ying allegedly exercised all of his vested stock options and sold those Equifax shares for a total of $950,000 in proceeds, avoiding more than $117,000 in losses that he would have incurred had he still been holding the shares at the time the data breach was publicly announced more than a week later. The SEC is seeking disgorgement of an amount equal to the losses Ying allegedly avoided, civil monetary penalties, an order barring Ying from ever serving as an officer or director of a public company, and an injunction enjoining Ying from further violating the federal securities laws. The indictment charges Ying with two counts of criminal securities fraud, which, if he is convicted, carry a maximum sentence of 45 years. Continue Reading DOJ And SEC Charge Former Equifax Executive With Insider Trading
On February 21, 2018, the Securities and Exchange Commission (the “Commission”) published interpretive guidance to assist public companies when considering, drafting and issuing disclosure about cybersecurity risks and incidents (the “interpretive guidance”). The interpretive guidance became effective immediately upon issuance.
The Commission’s interpretive guidance reaffirms and expands upon guidance issued by the Division of Corporation Finance in 2011 (the “Division guidance”) relating to the disclosure of cyber-related matters. The interpretive guidance also addresses two additional topics not covered in the Division guidance, specifically that a company’s disclosure controls and procedures need to cover cyber-related matters and that compliance with insider trading prohibitions must take into account cybersecurity incidents. The Commission’s issuance of interpretive guidance underscores the Commission’s increased focus on cybersecurity and follows on the establishment of the Commission’s Cyber Unit in 2017 to target cyber-related misconduct and repeated statements by Chairman Jay Clayton and other Commission officials that cybersecurity is a priority area for the agency.
Please click here to read the full alert memorandum.
On January 30, 2018, the U.S. Securities and Exchange Commission (SEC) announced that it had obtained an order from a U.S. District Court in Dallas, Texas, halting an allegedly fraudulent initial coin offering scheme. The SEC’s complaint alleges that defendants AriseBank and AriseBank founders Jared Rice Sr. and Stanley Ford violated the anti-fraud and registration provisions of the U.S. federal securities laws, including by falsely claiming that AriseBank’s customers’ accounts and transactions were FDIC insured, falsely claiming that AriseBank’s customers could spend 700 different virtual currencies using AriseBank’s Visa card, and failing to disclose the criminal history of two of AriseBank’s officers. Among other relief, the district court has granted the SEC’s request to freeze the defendants’ assets, and for the first time in a cryptocurrency enforcement case has appointed a receiver over those assets, including the cryptocurrencies purportedly held by AriseBank. Continue Reading SEC Freezes Allegedly Fraudulent “Decentralized Bank” ICO
On Monday, December 11, 2017, SEC Chairman Jay Clayton waded into the ongoing debate surrounding cryptocurrencies, initial coin offerings, and the regulation of both. In a statement urging potential investors to exercise caution and market professionals to focus on their responsibility to help protect investors, the Chairman warned of the susceptibility of the burgeoning crypto markets to manipulation and fraud. Continue Reading SEC Chairman Offers Views on Initial Coin Offerings
The SEC has recently signaled an increased concern with the offerings and marketing of Initial Coin Offerings (“ICOs”), which should be of interest to companies and institutions involved with ICOs. On November 1, 2017, the SEC Division of Enforcement and Office of Compliance Inspections and Examinations (“OCIE”) jointly issued a public statement warning celebrities and other influencers promoting Initial Coin Offerings (“ICOs”) about potential violations of a host of federal securities laws, including the anti-touting and anti-fraud provisions of the federal securities laws. Specifically, the public statement noted that endorsements may be unlawful if they do not “disclose the nature, source, and amount of any compensation paid, directly or indirectly . . . in exchange for the endorsement.,” and that endorsers may also face liability for potential violations of the anti-fraud provisions, for participation in an unregistered securities offering, and for acting as unregistered brokers. The public statement also noted that investment decisions should not be based solely on an endorsement and cautioned that “celebrity endorsement may appear unbiased, but instead be part of a paid promotion.” The public statement follows an investigative report issued by the Division of Enforcement on July 25, 2017, which announced that blockchain technology-based coins or tokens sold in an ICO may be a form of security under the Securities Act of 1933 and the Securities Exchange Act of 1934. Continue Reading The SEC Warns That Celebrity Endorsements of Virtual Currency May Violate Federal Securities Laws