Blog
Violent Delights, Violent Ends? Two Possible Futures of SEC Cyber Regulation
A judge recently struck down most of the SEC’s flagship cybersecurity case against SolarWinds and its CISO—a significant setback for the agency’s strict view of cybersecurity disclosure enforcement. So what should public companies expect going forward? In this week’s D&O Notebook, my colleague and former SEC enforcement official Walker Newell explains the historical background of cyber + securities enforcement and walks through two different possible futures for government regulation in this space. –Priya
As I have watched recent plot twists in the Securities and Exchange Commission’s (SEC’s) cybersecurity drama, the phrase “violent delights have violent ends” keeps bubbling around in my brain. Let me explain.
In Romeo & Juliet, a wise friar advises the titular hero to temper his passionate love, cautioning:
According to the distinguished Faculty of English at Cambridge, this means that excess speed and “lack of moderation...can only end badly.” “Violent” here just means “passionate.” (Low-brow confession: I know this quote from HBO’s Westworld, not the original Shakespeare.)
As the SEC has ramped up its cyber + securities enforcement activities over the past year, some have accused the agency of immoderation. While the current SEC clearly believes in robust cybersecurity disclosure enforcement against public companies, the agency could be controlled in the future by leaders with a different perspective. So how will this saga end? After taking a look at the historical backdrop, I’ll walk you through two possible futures for SEC cyber + securities regulation.
A Brief History of Public Company Cyber + Securities Regulation
The SEC first began focusing on public company cyber disclosures around 2017, when it established a dedicated Cyber Unit in the Division of Enforcement. While the Cyber Unit was not specifically intended to focus on public company disclosures (its mission statement mostly related to punishing hackers, not companies that had been hacked), the Unit has since been behind all subsequent SEC cyber disclosure cases.
At the outset, the SEC acted slowly and with moderation. I think this is a fair description of the prevailing philosophy at the time: When a public company gets hacked, the company and its customers have been victimized by bad actors. Under these circumstances, public disclosure is a sensitive area, and companies should mostly be given the benefit of the doubt. If a company completely hides the ball about a huge incident or affirmatively lies about an incident and investors are harmed, the government may step in, but this will be the exception, not the rule.
Consistent with this philosophy, in the previous administration, the Director of Enforcement said that the SEC would “not second-guess good faith exercises of judgment about cyber-incident disclosure.” And that is the way it stayed for the first few years.
However, in recent years, the current SEC administration has pursued increasingly aggressive cases against public companies. (The story for registered entities—e.g., investment advisers, exchanges, and brokers—is trending in the same direction but is not covered here.)
Here's a timeline of key developments:
February 2018 |
SEC issues interpretive cyber disclosure guidance to public companies |
---|---|
April 2018 |
SEC settles with Yahoo!; first public company cyber disclosure case |
2019 |
SEC does not bring any public company cyber cases |
2020 |
SEC does not bring any public company cyber cases |
April 2021 |
Gary Gensler is sworn in as SEC Chair |
June 2021 |
SEC settles with First American; first cyber disclosure controls case |
August 2021 |
SEC settles with Pearson plc for allegedly negligent cyber disclosures |
March 2023 |
SEC settles with Blackbaud for allegedly negligent cyber disclosures |
June 2023 |
SEC adopts cybersecurity disclosure rules for public companies |
October 2023 |
SEC sues SolarWinds and CISO for fraud; first cyber case against an individual; first cyber internal accounting controls case |
December 2023 |
SEC 8-K cyber disclosure rules go into effect (and criminals immediately seek to weaponize them against companies) |
Early 2024 witnessed a steady drip of SEC cyber news as the new disclosure rules went into effect, but nothing seismic. Then, in June 2024, the plot thickened.
- On June 18, the SEC brought the first-ever settled cyber internal accounting controls case against R.R. Donnelley. The case represented—in the view of many—an aggressive and unwarranted expansion of the concept of internal accounting controls to encompass cybersecurity controls.
- On July 18, a federal judge dismissed the majority of the SEC’s flagship data breach case against SolarWinds and its CISO. Significantly, the judge found no nexus between cybersecurity controls and the concept of internal accounting controls under the securities laws. In a somewhat pyrrhic victory for the SEC, however, the judge did allow key fraud claims against the company and the CISO to move forward.
What do the SolarWinds ruling and other recent developments mean for the future of the SEC’s cyber regulatory program? Will the SEC’s “lack of moderation” result in “violent ends” for its cyber agenda? Or will the current regime of strict cyber + securities scrutiny become the new normal for public companies?
The end of this story is unwritten. Let’s look at two possible futures.
Future #1: Back to the Future
When the SEC Division of Enforcement wants to bring a case, it has to make a recommendation to the Commission. The Commission has five members: two Democrats, two Republicans, and a Chair nominated by the incumbent President. This means that the party holding the presidency always has a 3-2 majority on the Commission. Assuming ideological unity on the part of the majority (which is often but not always true), the Commission can pass rules and approve enforcement actions as the Chair desires.
In one possible future, a new Republican-appointed Chair and fresh majority of the Commission will have meaningfully different views from the current Commission on public company cyber enforcement. For a sense of what these views could be, look no further than the colorful public statements of Commissioner Hester Peirce.
Since joining the agency in 2018, Commissioner Peirce has frequently publicly dissented from SEC rulemaking and enforcement actions in a variety of areas. At a high level of abstraction, Commissioner Peirce tends to favor less regulation, more engagement with industry, and a generally less “violent”—my words, not hers (see above)—SEC.
Commissioner Peirce publicly dissented from the adoption of the SEC’s public company cybersecurity rules. Among other critiques, Commissioner Peirce suggested that the disclosure rules would force companies to divert resources away from core cybersecurity hygiene and toward disclosure-related considerations. She also warned: “Once the SEC can peer into how all public companies handle cybersecurity, the temptation to micromanage their operations will only grow.” While she did not rule out the possibility that a more streamlined cyber rule might have received her vote, she also pointedly observed that the SEC already has the ability to bring cyber cases against public companies by using traditional anti-fraud tools.
The rules were ultimately passed by a 3-2 vote. Commissioner Mark Uyeda, who often sides with Commissioner Peirce, also voted against the rules. Later, Congressional Republicans introduced a resolution to repeal the rules.
Commissioners Peirce and Uyeda also dissented from the settled case against R.R. Donnelley, criticizing the SEC’s use of an internal accounting controls theory as a catchall “Swiss Army Statute.”
In a spicy (for SEC world, anyway) conclusion to the dissent, the Commissioners wrote: |
Eliding the distinction between administrative controls and accounting controls has utility for the Commission. As this proceeding illustrates, a broad interpretation of Section 13(b)(2)(B) to cover computer systems gives the Commission a hook to regulate public companies’ cybersecurity practices. Any departure from what the Commission deems to be appropriate cybersecurity policies could be deemed an internal accounting controls violation. The Commission’s assurances in connection with the recent cyber-disclosure rulemaking ring untrue if the Commission plans to dictate public company cybersecurity practices indirectly using its ever-flexible Section 13(b)(2)(B) tool. Also concerning is the Commission’s decision to stretch the law to punish a company that was the victim of a cyberattack. While an enforcement action may be warranted in some circumstances, distorting a statutory provision to form the basis for such an action inappropriately amplifies a company’s harm from a cyberattack. |
As we saw, just a month later, Commissioner Peirce’s negative view of the cyber internal accounting controls theory was shared by the SolarWinds judge (who is a well-respected, right-down-the-middle jurist).
It’s not a foregone conclusion that Commissioner Peirce’s ideas would be dominant in a future SEC with a Republican majority, but it is a distinct possibility. If so, what might public company cyber + securities regulation look like under a Peirce-y SEC?
- The SEC will likely consider amending or repealing the public company cybersecurity disclosure rules.
- The SEC will likely retreat from bringing non-fraud, controls-related cybersecurity cases against public companies. This would include passing on both internal accounting controls cases and marginal disclosure controls cases.
- The SEC will reserve the right to continue to bring public company cybersecurity enforcement cases in exceptional circumstances.
- In practice, investigations will be rarer, filed actions will be few and far between, and cases against individuals will be unlikely absent egregious misconduct.
Future #2: Brave New World
In another alternative future, the Commission’s approach to cyber + securities enforcement will continue to build on the trends that we see today. As Chair Gary Gensler has stated, the current SEC is “not afraid to litigate matters” when it believes it has a righteous case. The SolarWinds case (along with the SEC’s vigorous multi-front litigation against the crypto industry) is evidence of this aggressive approach.
In a Gensler-led or Gensler-aligned future Commission:
- The public company cybersecurity disclosure rules will remain in place.
- The Division of Corporation Finance will likely continue to actively search for cyber-related disclosure deficiencies, including via affirmative outreach to companies that have experienced breaches that are not subsequently disclosed in SEC filings.
- The Division of Enforcement will devote resources to conducting thorough investigations of public company cyber disclosures.
- As it does across the enforcement program, the SEC will continue to look for opportunities to bring cyber-related cases against individuals. Such cases should, however, continue to be rare in the cyber arena.
- In one possible scenario, despite setbacks in SolarWinds, the SEC will continue to push marginal Donnelley-esque cases aggressively against defendants. While cyber internal accounting controls cases may be difficult to justify, the SEC can still bring cases based on negligence-based fraud (Section 17(a) of the Securities Act) and/or disclosure controls theories. If the agency runs into a company with an appetite for litigation (which is rare for public companies in battles with the SEC), the federal courts could continue to trim the agency’s sails. SolarWinds was the first time the judiciary had the opportunity to weigh in on the SEC’s view of itself as a cyber + securities enforcer—and, as we have discussed, the agency came out of the encounter with some missing appendages.
- In another possible scenario, with battle scars from SolarWinds still fresh, the SEC will pick its public company cyber spots more carefully, looking for strong evidence and walking away from more marginal cases.
Swear Not by the Inconstant Moon
Faced with these dichotomous possible futures, how should public companies approach cyber + securities compliance in the second half of 2024? The answer, of course, can be found in the Bard’s immortal words.
At the time of this writing it is, of course, impossible to predict what steps the inconstant SEC may or may not take in the future.
Regardless of what future we find ourselves living in, there will always be risk at the intersection of data breaches and the federal securities laws. The SolarWinds decision demonstrates this, as do several large historical settlements of private securities litigation arising out of data breaches (e.g., Equifax and Yahoo!).
For now, public company directors and officers will want to continue their diligent efforts to comply with the existing SEC rules, develop robust and mature processes, carefully balance disclosure decisions with infosec considerations, and take reasonable, good-faith steps to holistically manage risk at the intersection of cyber incidents and the securities laws.
Author
Table of Contents