Our thinking

Cybersecurity: Legal implications and risk management

What's inside

In an increasingly interconnected world, cyber risk is firmly at the top of the boardroom agenda, and having an effective data breach response programme is no longer optional.

Cybersecurity crisis management

The internet knows no borders, neither do we. Our global team of cybersecurity response experts work across borders, combining data protection, privacy, regulatory, white collar and litigation expertise in order to deliver seamless crisis management and legal advice, whenever and wherever needed.

The digitalization and free flow of information has transformed global business. However, with increased opportunities have come new and increased risks, together with complex legislative regimes that can vary significantly by jurisdiction, and are constantly evolving. Even the most conscientious company can become the victim of a cybersecurity incident, such as the stealing of client or company information, or a ransomware attack. We work with a wide range of multinational companies to manage their cybersecurity risks, developing rapid response plans, providing time-critical crisis management advice, and working with clients to manage any resulting legal issues that may arise. 

Key issues

Why?

  • Reputation
  • Fines
  • Breach of contract
  • M&A due diligence
  • Insurance
  • Proprietary information
  • Litigation
  • Criminal offences
  • Negligence

Be prepared

Risk Assessment

  • Key Information
  • Assets
  • Key Systems
  • Threat Analysis
  • Security Measures

Toolkit

  • Scripts
  • Internal and 
    External
  • Communications
  • Employee contacts
  • Response Plan
  • Live Training
  • Business Continuity Plan

Key considerations

Customer/individual rights

  • Requests for data
  • Data Protection Authority Complaints
  • Group litigation orders
  • Resolution mechanisms

B2B relationships

  • Contractual obligations
  • Contractual liability
  • Tort

Reputation management

  • Media strategy
  • Customer interaction
  • Employee engagement

Commercial

  • Proprietary
  • Information/Trade Secrets
  • System Disruption

Regulatory issues

  • Data Protection Authority
  • Financial Regulators
  • Market authorities
  • Other regulators

Privacy & data protection

  • Jurisdictions involved
  • Reporting obligations
    • individuals
    • authorities

Evidence

  • Law Enforcement Involvement
  • Legal Privilege
  • Preservation of Evidence

Response

Crisis Team

  • Legal (internal and external)
  • IT/IT Forensics
  • PR
  • Regulatory
  • DPO
  • Executive committee
  • HR
  • Vendor manager

Key Actions

  • Work with forensic investigators to:
    • Identify and contain breach
    • Gather/preserve evidence
    • Maximise legal privilege coverage
  • Contact crisis team
  • Bring in external partners
  • Identify key risks and priorities based on nature of breach
  • Assess notification requirements
  • Communications
  • Regulatory notifications

 

Articles

2024

NYDFS Releases Artificial Intelligence Cybersecurity Guidance For Covered Entities

On October 16, 2024, the New York State Department of Financial Services (the "DFS"), under its Cybersecurity Regulation—23 NYCRR Part 500—issued a memorandum providing guidance on the risks posed by artificial intelligence ("Guidance Memo").

SEC Will Prioritize AI, Cybersecurity, and Crypto in its 2025 Examination Priorities

On October 21, 2024, the US Securities and Exchange Commission ("SEC") Division of Examinations ("Examination Division") announced its 2025 Examination Priorities ("Report"). Investment advisers and broker-dealers should ensure that policies, procedures and surveillance efforts related to these priorities address concerns outlined in the Report.

SEC Enforcement Heats up on Key Public Company Topics: Cyber Disclosure, Director Independence and Regulation FD

The U.S. Securities and Exchange Commission's ("SEC") Division of Enforcement has recently brought a spate of enforcement actions relating to key topics for public companies. These include enforcement actions related to cybersecurity incident disclosure, director independence and Regulation Fair Disclosure ("Reg FD") violations, which are described below, and actions based on Section 13 and 16 beneficial ownership filings, as discussed in our prior alert.

Judge Rejects SEC’s Aggressive Approach to Cybersecurity Enforcement

On July 18, 2024, a New York federal judge dismissed most of the US Securities and Exchange Commission's ("SEC") claims against SolarWinds Corp. ("SolarWinds" or the "Company") and its Chief Information Security Officer ("CISO"), Timothy G. Brown, in connection with the Company's cybersecurity practice.

NIS 2 Directive: Navigating the challenges of implementation, impact, and scope

The NIS 2 directive establishes a regulatory framework aimed at improving the level of cybersecurity across the EU.

SEC’s Corp Fin Director Issues Statement on Cybersecurity Incident Disclosures

On May 21, 2024, the SEC's Director of the Division of Corporation Finance issued a statement on cybersecurity incident disclosures in light of the SEC's new cybersecurity disclosure rules. Our summary of this statement and key take-aways from White & Case's survey of cybersecurity disclosures is below.

2023

The SEC’s Charges Against SolarWinds and its Chief Information Security Officer Provide Important Cybersecurity Lessons for Public Companies

On October 30, 2023, the US Securities and Exchange Commission ("SEC") announced that it filed charges against SolarWinds Corp. ("SolarWinds" or the "Company") and its Chief Information Security Officer ("CISO") in connection with the SEC Division of Enforcement's ("Enforcement Division") investigation of a cyberattack.

SEC Adopts Mandatory Cybersecurity Disclosure Rules

On July 26, 2023, the Securities and Exchange Commission ("SEC"), in a 3-2 vote, adopted rules that will require public companies to make prescribed cybersecurity disclosures.

Shaping the future of digital and cybersecurity governance

In this brief three-minute video, London-based partner Lawson Caisley, Chair of White & Case's Global Cyber Risk Committee, shares his insights on governing cyber risk at the corporate level and some of the challenges of cyber risk management in the boardroom. Filmed at the Digital Directors Network (DDN) Domino 2023 conference on digital and cybersecurity governance.

cybersecurity_square_800x800_4

Prioritizing cybersecurity at the corporate level

In this short three-minute video, Washington, DC–based partner F. Paul Pittman discusses the implications of the proposed new SEC rules on cybersecurity governance and what corporate boards can do now. Filmed at the Digital Directors Network (DDN) Domino 2023 conference on digital and cybersecurity governance.

digital mesh

Cybersecurity Developments and Legal Issues

The potential for cybersecurity threats and attacks looms large and the technology companies developing new products and services play a constant game of cat-and-mouse with hackers and cybercriminals for control of cyberspace. Here are six points to consider when analyzing cybersecurity risks and protections.

client alert image

Directors face personal liability over cybersecurity failures

In an article for The Times, White & Case partner Lawson Caisley discusses why it could become increasingly common for UK directors to "face personal liability and regulatory censure as a result of their company suffering or mishandling a cyberbreach".

wafer circuit detail

2022

Director liability for cyber breaches: transatlantic warning signs?

Two legal cases in the US in the past month suggest that regulators and prosecutors are becoming more determined to take personal action against directors and senior executives who fail to deal adequately with cyber security breaches.  

arrow

SEC Proposes Mandatory Cybersecurity Disclosure Rules

On March 9, 2022, the Securities and Exchange Commission ("SEC") proposed rules that would require public companies to make prescribed cybersecurity disclosures.

2021

Legal 500's In-House Lawyer Magazine Autumn - Commercial Litigation Focus (Germany)

In The Legal 500's newly released In-House Lawyer Magazine a group of White & Case lawyers has contributed a legal briefing on trends in German commercial litigation.

magazine pile

AAA plc & ors v Persons Unknown: Cyber Activism or Blackmail?

In recent years, demands for payments in cryptocurrencies have become the ransom of choice for cyber extortionists and other online frauds. As a result, the English Court's powers are increasingly being called upon.

orange background

Time to Revisit Risk Factors in Periodic Reports

Ninth Circuit Decision Highlights Importance of Updating Risk Factors to Address Material Developments, including those relating to Cybersecurity Risks.

Alert 800x800

Cybersecurity Enforcement: New York Department of Financial Services issues first penalty under Cybersecurity Regulation

Consistent with its increasing activity in the cybersecurity enforcement space, in March 2021, the NYDFS issued its first penalty under the Cybersecurity Regulation. This client alert explores the settlement and offers takeaways on the areas of focus by the NYDFS in enforcement actions under the Cybersecurity Regulation.

Compensating non-material damages based on Article 82 GDPR

Is a data subject entitled to compensation from a controller or processor if the data subject's GDPR rights have been infringed, even if they have not suffered any kind of material damage? 

Corporate Boards Must Ask Key Cybersecurity Questions

Cybersecurity has been a mainstay of quarterly board agendas for years.

2020

Cybersecurity Risk: Top 5 strategies to build resilience

The fourth webinar in our 2020 Autumn Webinar Series covered crucial steps you should be taking to protect against cybersecurity threats and what you should do when disaster strikes.

Before the Dust Settles: The California Privacy Rights Act Ballot Initiative Modifies and Expands California Privacy Law

Hot on the heels of the California Attorney General's rulemaking process for the California Consumer Privacy Act ("CCPA"), California voters have passed a ballot initiative to expand and create new privacy rights for consumers.

stack of paper

US Cybersecurity Standards to Get Tougher and More Specific

In the past few years, cybersecurity has taken on increasing importance in the eyes of lawmakers and regulators.

Data Sharing Without Borders

UK law enforcement can now obtain an order against a person in or operating in the US for the production of or access to electronic data under a new ‘landmark’ US-UK data sharing agreement.

Alert 800x800

Responding to a cyber-incident

The COVID-19 crisis has exposed many companies to more cyber threats. Tim Hickman and John Timmons discuss what businesses need to do should a major incident occur.

Trending: Legal protection for cryptoasset stakeholders

Recent decisions in Singapore and New Zealand confirm that the courts are prepared to act to provide greater certainty and support to stakeholders in cryptoassets.

Recovering the ransom: High Court confirms Bitcoin status as property

The High Court has determined that Bitcoin (and other similar cryptocurrencies) can be considered property under English law, and could be the subject of a proprietary injunction. The Court granted the injunction to assist an insurance company to recover Bitcoin that it had transferred in order to satisfy a malware ransom demand.

2019

Navigating Privacy and Cyber Incident Notification and Disclosure Requirements

Organisations are facing increasing uncertainty in assessing global notification and disclosure obligations and making a determination of whether to notify or disclose a privacy violation or security incident in today's complex regulatory environment. This article offers six steps companies should consider when navigating this complex process.

Proposal on the Application of the NIS Regulations post-Brexit

This article examines the impact of the UK Network and Information Systems Regulations 2018 (SI 2018/506) (NIS Regulations) on organisations post Brexit and their obligations under applicable cybersecurity law.

Contacts

SEC Enforcement Heats up on Key Public Company Topics: Cyber Disclosure, Director Independence and Regulation FD

Alert
|
13 min read

The U.S. Securities and Exchange Commission's ("SEC") Division of Enforcement has recently brought a spate of enforcement actions relating to key topics for public companies. These include enforcement actions related to cybersecurity incident disclosure, director independence and Regulation Fair Disclosure ("Reg FD") violations, which are described below1, and actions based on Section 13 and 16 beneficial ownership filings, as discussed in our prior alert.2

Cyber Disclosure Enforcement Actions

On October 22, 2024, the SEC announced charges against four companies for making materially misleading disclosures regarding cybersecurity. One company was also charged with disclosure controls and procedures violations.3 These actions all arose from the SEC's investigation of public companies that were potentially impacted by the compromise of SolarWinds Corp.'s' Orion software.4 The companies agreed to pay civil penalties ranging from $990,000 to $4 million.

According to the SEC's orders against each of the four companies5, the companies had learned that a threat actor likely behind the SolarWinds Orion hack had accessed their systems without authorization, but each negligently minimized these cybersecurity incidents in public disclosures. Specifically, the SEC found that one company's Form 10-K described its risks from cybersecurity events as hypothetical, despite the company knowing that it had experienced two SolarWinds-related intrusions involving the unauthorized transfer of very large amounts of data. The SEC's order also noted that these materially misleading disclosures resulted in part from the company's deficient disclosure controls, stating that the Company's "incident response policies did not reasonably require cybersecurity personnel to report information to [the Company's] disclosure decision makers and contained no criteria for determining which incidents or information should be reported outside the information security organization."6

Similarly, the SEC found that another company, a foreign private issuer, knew of the cybersecurity compromise, but in its Form 20-F described cyber intrusions and risks from them in only generic terms and "omitted new and material cybersecurity risks" arising out of the SolarWinds compromise. In another order, the SEC noted that the company stated in its Form 10-Q that the threat actor had accessed a "limited number of [the] Company's email messages," that "there was no current evidence of unauthorized access" and that the company did "not believe that this incident has had or will have a material and adverse impact on our business or operations." In fact, the company knew that at least 145 files in its cloud file sharing environment had been accessed, that there had been a long-term unmonitored presence of the threat actor in the company's systems, the threat actor had accessed the emails of company cybersecurity personnel, and that there was likely involvement of a nation-state as a threat actor. Lastly, the SEC noted that a fourth company filed a Form 8-K that minimized the attack by quantifying certain aspects of the breach but failed to disclose the nature of the code the threat actor targeted and the quantity of encrypted credentials the threat actor accessed.7

Overall, the SEC emphasized the importance of not downplaying the extent of a cybersecurity breach and focused on risk factors, noting that "the relevant cybersecurity risk factors were framed hypothetically or generically when the companies knew the warned of risks had already materialized" and that the "federal securities laws prohibit half-truths." SEC Commissioners Peirce and Uyeda issued a joint dissenting statement against these actions, taking the position that the SEC is regulating by enforcement and citing immaterial, undisclosed details to support the charges, details that they do not believe would have altered the "total mix" of information.

It is also notable that the SEC did not charge these companies with violating the internal accounting controls provision, Section 13(b)(2)(B), which was one of the claims that a federal court dismissed in the SolarWinds case. The Court there found that the term "internal accounting controls" refers to a company's "financial accounting," and not cybersecurity controls. Prior to that decision, the SEC often included this charge in their cybersecurity disclosure actions.

Taken together, these actions provide important lessons for public companies about the disclosure of cybersecurity incidents:

  • Do not disclose a risk as hypothetical when in fact that risk has already occurred and do not describe specific, known risks in only generic terms.
  • Reassess cyber incident response plans (CIRPs) and related disclosure controls to ensure that material cybersecurity incidents are identified and timely elevated to those responsible for ensuring disclosure of material cybersecurity incidents in SEC filings. 
  • Evaluate and update existing disclosure to reflect changing circumstances and the company's changed risk profile as a result of any recent cybersecurity incident.
  • Describe fully and accurately any cybersecurity incidents that are disclosed; quantifying certain aspects of an incident without disclosing other material information on its scope and impact may be materially misleading. Nonetheless, any disclosures should be balanced against the need for the company to avoid revealing critical information about its cybersecurity controls or risk to protect against future cyberattacks. 
  • When evaluating materiality, consider, among other factors, the nature of the company’s particular business and any confirmed attribution of the incident to nation-state actors or global hacker organizations. 

Director Independence

On September 30, 2024, the SEC announced settled charges against a public company director for violating proxy disclosure rules by standing for election as an independent director without informing the board of his close personal friendship with a high-ranking executive, which resulted in a public company's proxy statements containing materially misleading statements regarding his independence.

Specifically, James Craigie, a former CEO and former non-independent corporate director who later served as an independent director, allegedly hid his "close personal relationship" with a company executive from the rest of the board when he completed D&O Questionnaires in which he stated that he did not have a material relationship with the company, including "any other relationship" with the company or its management. According to the SEC's complaint, as a result of his failure to disclose his relationship with a company executive in responses to his D&O questionnaire, the company's proxy statements contained materially misleading statements that inaccurately identified the director as "independent" under both stock exchange listing standards and the company's governance guidelines. When the company ultimately learned of the relationship, it determined that Craigie was not actually independent under these standards based on several factors8:

  • The director maintained a close friendship with one of the company's executives, which included regular, luxury vacations together with their respective spouses, paid for by the director (totaling over $100,000).
  • In addition to not disclosing this relationship to the board during its deliberation over whether he qualified as independent, the director repeatedly requested that the executive keep this relationship a secret, to avoid the appearance of bias.  
  • When the company began a CEO succession process, the director participated in the process of evaluating internal CEO candidates, including the executive, without disclosing their relationship, and he subsequently revealed the CEO succession discussions to the executive, despite being told to keep the search confidential.  
  • When the board considered external CEO candidates, the director suggested an individual that he had a relationship with through the executive, again without disclosing this connection to the board, with the specific intention that this could potentially pave the way for the executive to become CEO down the road.

The SEC alleged that, as an "experienced public company executive and board member," the director "knew, or should have known, the criteria that public company boards use to assess a director's independence, as well as the factors that are important to that analysis. This included personal relationships with company executives."

The director also "understood the importance of the D&O Questionnaire for determining director independence," and that the information would be included in the proxy statement.  In addition, as a director of other public companies, this director completed other D&O questionnaires, some of which included questions that "further clarified what facts and circumstances Craigie should have considered when responding to the [company's] questionnaire."

As a result, the SEC found that Craigie was directly liable for the misstatements in the company's proxy statements as to his independent director status because he failed to disclose the relationship in his responses to the D&O Questionnaires, and then permitted his name to be used in connection with the company's proxy solicitation, in violation of Section 14(a) of the Exchange Act and Rule 14a-9.

The case is the latest reminder of the importance of the general independence test. In 2010, the New York Stock Exchange had also focused on this issue, targeting a public company over how a board determined the independence of a director who owned a real estate development with the company's chief executive.10 In light of this enforcement action, companies are reminded to:

  • Consider what types of relationships would impair director independence under the general independence test, including what might be considered a "close personal friendship", and what factors might weigh in favor of a determination that a director lacks independence.
  • Ensure your D&O questionnaire asks sufficiently detailed and direct questions to elicit relevant information to assess independence. For example, in the question about the general independence test, consider adding an explanation that personal friendships and other relationships with management should be disclosed and provide examples of the types of relationships that could impair independence. It is also advisable to make clear that the responses to D&O Questionnaires form the basis for disclosures made by the company in its SEC filings.
  • Make sure your directors are engaged in the director independence process and disclosing information that would be relevant for an independence assessment and educate your directors and management on the importance of complete and accurate disclosure, and the potential consequences of failures to disclose.

Regulation FD Violations for Disclosing Material Nonpublic Information in Social Media Posts

On September 26, 2024, the SEC charged DraftKings Inc., with violations of Reg FD in connection with the posting of material nonpublic information ("MNPI") to certain social media accounts associated with the company's CEO.   According to the SEC, the company's external public relations firm posted MNPI on the CEO's personal X and LinkedIn accounts, including statements about the company's second quarter earnings prior to the company's disclosure of this information to the public. Neither of these accounts was a Reg FD-compliant distribution channel.13

Notably, the company's communications team recognized the error and had the posts taken down within half an hour. However, the company did not take any steps to promptly disclose the inadvertently disseminated information to the general public, as required by Reg FD, and instead waited until its previously scheduled earnings release a full week later to disclose the information.

The postings violated the company's social media policy, which prohibited the sharing of such information via social media, and the "quiet period" provisions in its Regulation FD Policy, which prohibited disclosure or discussion of financial or operational results or guidance, performance during the period prior to an earnings release. The settlement required all company "employees who have responsibilities relating to corporate communications to attend training regarding Regulation FD" and the company's Regulation FD Policy. 

Companies are reminded to:

  • Ensure that external IR providers are complying with the Company's policies and receiving appropriate oversight from Company management to confirm compliance with Reg FD. 
  • Ensure that social media accounts of executives are not disclosing any material nonpublic information.
  • Cleary identify Reg FD compliant manners of disclosure and communicate these to relevant parties.
  • Regularly educate employees and consultants on the requirements of Reg FD and the company's Reg FD policy and provide training on the company's social media and Reg FD policies. 
  • Regularly educate employees and consultants on the requirements of Reg FD and the company's Reg FD policy and provide training on the company's social media and Reg FD policies. 

The following White & Case attorneys authored this alert: Maia Gez, Scott Levi, F. Paul Pittman, Michelle Rutta, Tami Stark and Danielle Herrick.

1 The SEC's press releases are available at:

2 Notably, these were the first SEC enforcement actions on director independence and Reg FD since 2022 and 2021, respectively, and the first SEC enforcement actions regarding cybersecurity disclosures since the SolarWinds Corp. decision in July of this year. The most recent prior SEC action related to director independence was In the Matter of Leaf Group Ltd., in which a "compensation committee interlock" disqualified the director as independent under stock exchange listing standards and also required specific disclosure in Leaf's proxy statement. The most recent action regarding a Reg FD violation was SEC vs. AT&T, et al., where the SEC found that investor relations executives at the company made private, one-on-one calls to analysts disclosing material internal company data and metrics in order to lower consensus revenue expectations for the quarter, and therefore avoid falling short of such expectations, in violation of Reg FD.
3 See In the Matter of Unisys Corporation.
4 For more information on the SolarWinds breach and related SEC charges, see our prior alerts, The SEC's Charges Against SolarWinds and its Chief Information Security Officer Provide Important Cybersecurity Lessons for Public Companies and Judge Rejects SEC's Aggressive Approach to Cybersecurity Enforcement.
5 The SEC's orders are available at the following: 

6 After investigating its cybersecurity controls, the company "publicly disclosed a material weakness in its disclosure controls and procedures and internal control over financial reporting related to the design and maintenance of effective formal policies and procedures over information being communicated by the IT function and the legal and compliance function to those responsible for governance to allow timely decisions related to both financial reporting and other non-financial reporting."
7 Note that this Form 8-K was filed before the SEC's new cybersecurity disclosure rules were adopted.
8 It is worth noting that while the SEC was investigating Craigie's relationship with the executive, Craigie was instructed not to communicate with other parties, including the executive, and had received a document retention notice from the company. Despite this, Craigie sent a letter to the executive discussing matters relevant to the SEC's investigation and indicated that he should discard the letter after reading it.
9 Craigie "did not similarly vacation with, nor pay expenses for, other [company] executives."
10 See Wall Street Journal, "Big Board Questions Black & Decker.
11 Reg FD is available here. As a reminder, Reg FD prohibits public companies, or persons acting on their behalf, from selectively disclosing MNPI to certain securities professionals or shareholders who might trade on the basis of such information before it has been made public.  Information is considered public for Reg FD purposes if it has been disseminated through a method that is reasonably designed to result in broad, non-exclusionary distribution to the public, such as a broadly disseminated press release or Form 8-K filing. An inadvertent disclosure of MNPI can be cured by making prompt public disclosure of the information (typically within 24 hours).
12 The SEC's press release is available here and its order is available here.
13 Use of company websites or social media accounts as a Reg FD compliant method of distribution is rare. Prior SEC guidance on use of such websites or accounts (2008 interpretive release on Reg FD compliance and 2013 report of investigation of Reg FD compliance) makes clear that public companies who want to use such fora to disseminate information in compliance with Reg FD must first take specific steps to establish that forum as a recognized channel of distribution.

White & Case means the international legal practice comprising White & Case LLP, a New York State registered limited liability partnership, White & Case LLP, a limited liability partnership incorporated under English law and all other affiliated partnerships, companies and entities.

This article is prepared for the general information of interested persons. It is not, and does not attempt to be, comprehensive in nature. Due to the general nature of its content, it should not be regarded as legal advice.

© 2024 White & Case LLP

Top