The Securities and Exchange Commission (SEC) recently laid charges against a U.S. software company and its Chief Information Security Officer (CISO). The charges allege fraudulent activities and failures in managing cybersecurity risks, leading to a cyberattack from 2018 to at least 2020 by a gang tied to Russian intelligence.
The SEC has accused the software company of breaching the Securities Act of 1933 and the Securities Exchange Act of 1934. Additionally, the CISO was charged with assisting and abetting the company’s actions.
This move by the SEC is a strong reminder of the increasing liability risk for directors and officers regarding cybersecurity disclosure, as well as the need for appropriate due diligence in assessing and ensuring companies have an appropriate cybersecurity program in place.
Guidance from the SEC and CSA
The SEC’s enforcement action is in line with its newly adopted rules concerning cybersecurity disclosure obligations, which came into effect in September 2023. These rules require public companies in the U.S. to disclose material cybersecurity incidents and report on their risk assessment and mitigation processes. This includes the roles of management and the board in overseeing these processes.
Similarly, in Canada reporting issuers that are subject to a cybersecurity breach must determine whether the incident is a material fact or material change that requires disclosure in accordance with Canadian securities laws. While there is no bright line test for materiality, the Canadian Securities Administrators (CSA) published Multilateral Staff Notice 51-347 (Staff Notice) in February 2017, which provides guidance to Canadian public companies regarding their cybersecurity disclosure practices.
The Staff Notice states, among other things, that cybersecurity policies of Canadian reporting issuers should include preventive measures, staff training and a comprehensive cybersecurity incident response plan. It also emphasizes the importance of determining the materiality of cybersecurity incidents for appropriate disclosure under securities legislation. Issuers reporting in Canada are reminded that they must issue a press release forthwith upon determining that a cybersecurity breach is material.
These rules highlight the need for continuous attention to cybersecurity risks by directors and management in both Canada and the U.S. Consequently, directors and officers should ensure that companies:
- Dedicate necessary resources to cybersecurity assessments, monitoring of threats and advancements.
- Provide straightforward reports on security challenges to directors and management.
- Frequently update their cybersecurity disclosures to be precise and tailored to the specific business.
- Conduct regular staff training on cybersecurity practices.
- Establish a clear incident response plan for cybersecurity events.
How we can help
In response to these regulatory requirements, it’s important to apply appropriate due diligence in assessing and ensuring companies have an appropriate cybersecurity program. For more guidance on how to implement these measures and protect your company from cybersecurity risks, our Privacy, Data Protection & Cybersecurity and Corporate Finance & Securities groups can assist with developing incident response strategies, preparing for and responding to an incident, ensuring compliance with disclosure obligations and advising on risk management practices. Contact us to learn more.
Note: This article is of a general nature only and is not exhaustive of all possible legal rights or remedies. In addition, laws may change over time and should be interpreted only in the context of particular circumstances such that these materials are not intended to be relied upon or taken as legal advice or opinion. Readers should consult a legal professional for specific advice in any particular situation.