44 In October 2024, the four companies agreed to pay the following civil penalties to settle the SEC’s charges: » Unisys paid a $4 million penalty; » Avaya. paid a $1 million penalty; » Check Point paid a $995,000 penalty; and » Mimecast paid a $990,000 penalty. These settlements were consistent with SEC policy which evolved prior to the 2023 rules. For example, in August 2021, the SEC announced a settlement with Pearson plc, for making a misleading risk factor disclosure about data breaches. Pearson’s SEC filing included a statement that a data privacy incident was a risk that “could result” in a major breach. The SEC alleged that the SEC filing and a subsequent media statement were misleading because Pierson characterized a known harm as a hypothetical risk. The SEC’s order against Unisys found that the company described its risks from cybersecurity events as hypothetical despite knowing that it had experienced two SolarWinds-related intrusions involving exfiltration of gigabytes of data. The order also found that these materially misleading disclosures resulted in part from Unisys’ deficient disclosure controls. The SEC’s order against Check Point found that it knew of the intrusion but described cyber intrusions and risks from them in generic terms. In these settlements, the SEC mostly relied on negligence-based fraud claims under the Securities Act or internal controls charges under the Exchange Act stemming from a company’s inadequate policies and procedures regarding the escalation of information regarding a cybersecurity incident. Importantly, it did not require scienter, the intent to make false statements. The SEC’s announced priorities in connection with CETU signal a narrowed focus on investigating and bringing cybersecurity disclosure actions against reporting companies to those cases where the conduct rises to a higher level of misconduct – i.e., intentionally fraudulent representations. A Potential Step-down of the Cybersecurity Rules The Cybersecurity Rules impose broad disclosure requirements on reporting companies aimed at enhancing and standardizing disclosures regarding cybersecurity incidents and controls.
RkJQdWJsaXNoZXIy MjgzNzA=