At SEC Speaks 2016, the SEC Enforcement Division indicated that they are interested in investigating public companies’ failure to disclose cyber breaches.
No such case has been brought yet. The SEC’s enforcement actions on cyber incidents have been limited to the failure of registered firms to have policies and procedures to protect customer information accounts and hackers who steal material non-public information to gain market advantages.
The Staff recognizes that a company’s first response to a cyber intrusion is to assess the situation and minimize the damage. In their view, a critical part of this process is contacting law enforcement. They have heard anecdotally that companies may be reluctant to report cyber breaches to law enforcement because they do not want to be subject to possible government investigations.
The Staff emphasized that they understand that the complexity of cyber incidents makes disclosure decisions particularly difficult. They are aware that it is a challenge for companies facing breaches to determine whether, when and what to disclose given that the problem, and possibly the solution, could both be moving targets, as critical facts can change quickly. The Staff stressed that they are not looking to second-guess good faith decisions by companies about disclosure, but can envision circumstances where they would bring action for a “significant disclosure failure.”
While companies may be reluctant to report cyber intrusions, in any investigation, the Staff would evaluate the full scope of a company’s cooperation with law enforcement and credit that cooperation. Self-reporting is a critical factor for receiving “substantial credit.”
The Staff also discussed the cases it has brought against gatekeepers, which turn on the function of gatekeepers or on the nature of representations that they made to the public and others. This would include attorneys, directors, auditors and underwriters, whose role is to act as a “check” on the possibility of misconduct by other people.
Gatekeepers often operate in closely regulated parts of the securities industry or in professions with significant rule-based standards. This past year the SEC brought several actions against auditors for failure to comply with the PCAOB’s relevant auditing standards, and attorneys for issuing legal opinions without doing any research or underlying diligence to support those opinions.
Unlike other enforcement actions, beyond the typical remedies involving injunctions, disgorgement and civil penalties, the SEC may impose forward-looking investor protection remedies such as suspensions or bars on gatekeepers.
With respect to whistleblowers, the SEC received over 4,000 tips in 2015 from all over the U.S. and 61 countries outside the U.S., and gave over $37 million in awards, including to four whistleblowers living in foreign countries. The most common subjects include disclosure and financial matters, offering frauds and market manipulation.
The Staff discussed the KBR case, which resulted in the company’s changing language to make clear that nothing in an agreement with employees prohibits current and former employees from reporting possible violations of federal law; employees do not need prior authorization by the company or even need to notify the company.
The Staff indicated that companies should amend any agreements that “in word or effect” stop employees from reporting potential violations to the SEC. Any evaluation or analysis of similar enforcement cases will turn on the facts and circumstances of each case. The Staff stressed that there are “no hard and fast rules.”