Because some companies fail to disclose cybersecurity incidents as required or violate other Securities and Exchange Commission cybersecurity-related rules, whistleblowers with information about disclosure violations and others involving cybersecurity may turn to the US SEC whistleblower program to report the matter and receive rewards and certain job protections.
SEC Chair Gary Gensler discussed the importance of cybersecurity and US capital markets in a virtual speech to the Northwestern Pritzker School of Law’s annual Securities Regulation Institute conference this week.
“State actors and non-state hackers alike sometimes try to target various entities and businesses,” Gensler said. “All this puts our financial accounts, savings, and private information at risk.”
Publicly traded companies have certain legal obligations to disclose cybersecurity incidents, such as ransomware incidents where payments are made or data breaches that expose client information.
In addition, investment companies, investment advisers, broker-dealers and other financial sector registrants have to protect customer records and information and comply with other rules that may implicate their cybersecurity practices, such as books-and-records, compliance and business continuity regulations.
“If customer data is stolen, if a company paid ransomware, that may be material to investors,” Gensler said.
The SEC has taken enforcement actions against at least two entities for failing to disclose cybersecurity vulnerabilities.
Last year, First American Financial Corporation, a real estate settlement services company, paid a $487,616 penalty to settle charges that its disclosure controls and procedures were deficient. After a journalist notified First American in 2019 that an app it was using had a cybersecurity vulnerability, the company disclosed this to the public and the SEC. However, the SEC learned that First American’s information security personnel had identified the vulnerability several months earlier, but had failed to fix it in accordance with the company’s policies.
The SEC said First American’s app for sharing document images exposed over 800 million images dating back to 2003, including images containing sensitive personal data such as social security numbers and financial information.
In August 2021, Pearson plc, a London-based education publisher, paid $1 million to settle SEC charges that it misled investors about a 2018 cyber intrusion involving the theft of millions of student records and had inadequate disclosure controls and procedures.
The SEC said that Pearson referred in its July 2019 semi-annual report to the 2018 cyber intrusion as a hypothetical risk rather than an actual event. Pearson also downplayed the possible impact of the data hack in a July 2019 media statement. According to the SEC, Pearson stated that the breach may include dates of births and email addresses, when, in fact, it knew that such records were stolen.
Pearson also said it had “strict protections” in place. In actuality, the SEC said, the company failed to patch the critical vulnerability for six months after it was notified of the cyber intrusion. The media statement also omitted that millions of rows of student data and usernames and hashed passwords were stolen.
Gensler said the economic cost of cyberattacks is estimated to be at least in the billions, and possibly in the trillions, of dollars.
“We have a key role as the regulator of the capital markets with regard to SEC registrants,” he said. “…Cyber risks have implications for the financial sector, investors, issuers and the economy at large.”
If you are aware of ransomware attacks, data theft or other cyber incidents that haven’t been disclosed as required by SEC regulations and are considering blowing the whistle, contact Phillips & Cohen LLP for a free, confidential review of your matter by experienced SEC whistleblower attorneys.