SEF D.C.: The SEC’s Role in Cybersecurity—Rulemaking, Enforcement, and Coordination With the DOJ and Other Regulators
Here is a transcript from the cybersecurity panel at the excellent post-election Securities Enforcement Forum in Washington, D.C. The panelists were:
Alec Koch, Partner, King & Spalding
George Canellos, Partner, Milbank LLP
Stephen Cohen, Partner, Sidley Austin
Melissa Hodgman, Associate Director, SEC
David Peavler, Partner, Jones Day
You can find the video here and the full agenda here.
00:00 - 00:38
Bruce Carton: We are off to a great start with this panel on the SEC's role in cybersecurity, rulemaking, enforcement, coordination with the DOJ and other regulators. And let me start by introducing our moderator, Alec Koch, Partner at King & Spalding and co-leader of the firm's securities enforcement and regulation practice, Alec also served as a former assistant director at the SEC. Welcome, Alec. And to his left, George Canellos, a partner at Milbank in New York. George previously served as co-director of the SEC's Division of Enforcement and was an AUSA in the Southern District of New York where he
00:38 - 01:15
Bruce Carton: was Chief of the Major Crimes Unit. George, it's great to see you. Welcome. Next down the line, Steve Cohen. Steve is a partner at Sidley Austin in DC and Steve previously served for 12 years at the SEC, most recently as Associate Director in the Enforcement Division. Welcome Steve. Next from the SEC, very pleased to welcome back Melissa Hodgman. She's Associate Director in the Division of Enforcement and joined the SEC in 2008 and was one of the first members of the Market Abuse Unit. Melissa, great to see you. Welcome. Thank you, Bruce. Finally, I am pleased to
01:15 - 01:25
Bruce Carton: introduce David Peavler. He is a partner at Jones Day in Dallas and David of course previously served as regional director of the SEC's Fort Worth office. Welcome David.
01:27 - 02:03
Alec Koch: Thank you Bruce and thank you all for being here for the coveted first panel after the election. I'm not sure how many people would be in the room, but this is a great turnout. We have a lot to cover in terms of what has happened on the cybersecurity front at the SEC in the last year. We've got rulemaking, we've got guidance, enforcement actions, dissents, court decisions, and we'll try to get through all of it in the next 45 minutes. But we thought we would start, and Maybe Melissa, I'll turn it to you to give a brief
02:03 - 02:23
Alec Koch: overview of the rule that the commission passed and adopted last year and in particular focusing on the requirements for disclosure of incidents and assessing the materiality of those. So after you do your disclaimer, I'll pitch it to you.
02:23 - 02:57
Melissa Hodgman: All right, good morning. First of all, I'm impressed how many people are in this room. I wasn't expecting this many people. So I am an associate director in the Division of Enforcement appearing in my official capacity, so you can't blame anybody at the SEC for what I say today. The rule that was passed was intended to be common sense. It was intended to be something that people could easily interpret and apply, and it was intended to be responsive to what investors in the market need in terms of information with regard to cybersecurity. Cybersecurity has become something
02:57 - 03:38
Melissa Hodgman: that can be extraordinarily costly, even devastating to a business, and investors in order to make investment decisions or voting decisions need certain information on a timely basis. And so the incident reporting aspect of the rule, which is, I believe, what I'll be covering to start with, is intended to give timely, accurate information to investors to make those investment decisions once you have determined and you cannot have an unreasonable delay in your determination that there has been a material cyber event you have four days to disclose information into the marketplace. And that is the hope there is
03:38 - 04:13
Melissa Hodgman: one, not to create additional victims. one of the things that we were seeing that I think helped generate this role was people were delaying reporting and their customers, their investors, others were becoming victims in the process. And also the SEC didn't have the information it needed. And we see across the market, we get information from multiple parties. Sometimes we're able to find a pattern and prevent things. We're able to figure out who's engaging in behavior and actually get money back or stop the flow of funds. And so the information is absolutely key and the timeliness of
04:13 - 04:44
Melissa Hodgman: it is absolutely key. The materiality standard is the usual materiality standard. It's basic versus Levenson. It isn't something that I think should be hard for us to apply at this point in time, any harder than it is to always apply materiality, which is one of the challenges that we'll have. But this isn't a gotcha rule. This is intended for people to work with us. It's similar to what we have with regard to our FCI entities. And so we do have a lot of experience with this.
04:46 - 05:12
Alec Koch: Thanks. Steve, there's some other elements of the rule as well, you know, things relating to risk management, governance, and some other disclosure requirements. Could you maybe talk a little bit about those and also, you know, some of the topics that you find yourself frequently giving clients advice on and kinds of things that you're talking about with them.
05:12 - 05:43
Steve Cohen: Sure. Thanks, Alec. I think, as we all know, a lot of attention gets paid to the incident response issues because that's what a lot of people are confronting. But of course the rule does set forth a variety of things. Also exciting to talk about immediately after the election this morning is everybody loves talking about the particularities of what things need to be included in 10-Ks and 20-Fs. So I'll just try to tick off some of the key things. I will observe, like with so many other, I think generally required disclosures, we're seeing a convergence of very
05:43 - 06:20
Steve Cohen: similar disclosures across a lot of companies, because I think the kinds of things that companies are doing are appropriately similar and so we'll see kind of how this shakes out in terms of you know separation and particularity. So what as far as risk management and strategy strategy is concerned companies are required to to put into their 10-Ks disclosed in their 20-Fs information about their processes for assessing identifying and managing material risks for cybersecurity incidents. And when they do that, they must also talk about whether and how their cybersecurity program fits into their overall risk management
06:20 - 07:00
Steve Cohen: program. They need to make disclosures about whether they engage third parties, consultants, et cetera, and whether the registrant has processes to oversee and identify material risks from cybersecurity threats associated with their use of third party providers. And I would just highlight, if we're ticking off things that we're seeing now that we're kind of passed for most companies year one, a lot of focus on third party providers after folks are kind of looking inwardly. Registrants also have to disclose whether any risks from threats, including incidents that have already occurred, materially affected or are reasonably likely to affect
07:00 - 07:42
Steve Cohen: the registrant, and that's not a surprise. So that's just the overall risk framework and then there's separate disclosures that are required in 10-K or 20-F as it relates to board and management oversight. On the board front, companies are required to disclose what is the board of directors oversight of the risks from cyber security threats, including are there any committees or particular subcommittees responsible for this, as well as how is information getting to the board from management about these risks and incidents. And then from the management front, companies are required to disclose management's role and their expertise
07:42 - 08:19
Steve Cohen: in assessing and managing material risks from cybersecurity threats. That includes whether and which management positions or committees are responsible for assessing and managing these risks. What are the processes for management to be informed about these risks? And whether persons or committees report information or risks to the board, and if so, how do they do that? Obviously, if you put these things together, the answer is generally yes, they are doing these things, and they are reporting that information appropriately. In terms of what we're seeing, I mean, obviously the rule is lengthy. That's just kind of an overview.
08:19 - 08:51
Steve Cohen: But in terms of what we're seeing, I think starting with where Melissa was, I think materiality remains an issue. I think that it was probably appropriate for the SEC not to redefine materiality in the context of cybersecurity given all of the law out there, but it also poses a problem. We see clients really struggling with the question of what kind of cybersecurity incident is material, and I think that's because there's overall disagreement as to whether the vast majority of incidents really are material in the context of an overall business, and it's hard. These are hard decisions.
08:51 - 09:22
Steve Cohen: I'll just quickly note, even the question of what constitutes a cybersecurity incident is a challenge for some companies. The rule is written very broadly, And there's a lot of words around this concept. And so I do think on the lighter end, whether something constitutes an incident is something a lot of companies are spending time with. And lastly on the materiality point, look, I mean, I agree with Melissa that I think the intention of the rule as written was not to play a game of gotcha. But I do think one of the things that companies are struggling
09:22 - 09:57
Steve Cohen: with is that the division is coming in after they're aware of breaches and looking at and questioning broadly how a company determined whether something was material and pressing on the decision about whether it's a material. So I think there's a little bit of tension between you know, kind of a new rule of this nature and I think a lot of efforts by the division really to push on questions of materiality even in instances where there may not be known issues. So we'll see how all of that shapes out. I think in terms of the, you know,
09:57 - 10:31
Steve Cohen: as everybody knows and as Melissa talked about, everybody knows about the four-day provision, I think what we're seeing in terms of difficulty is how quickly companies can ascertain whether a breach is material. That can take days, it can take weeks. The rule does allow for that, but then you have four days, and I think when does the clock start ticking? I think what we're talking to a lot of companies about is two main things. Disclosure controls really are important. How a company works into their incident response plan, the disclosure controls having clear but not overly prescriptive
10:32 - 11:03
Steve Cohen: process by which to determine whether something is material and how that information gets appropriately communicated internally including the Disclosure Council is the key and then following that process really I think is helpful when and if the staff comes and asks questions about how you determine what you determined. And then of course companies should be reviewing their existing cybersecurity risk management strategy and government's practices in light of the disclosure requirements to make sure they're meeting all of the 10-K obligations and of course prepared to meet their 8-K obligations. Thanks,
11:03 - 11:35
Melissa Hodgman: Steve. Before we go on from there, that last point, don't just review them because of the current rulemaking, review them every year. Review them when you change your business lines. Review them when your cyber threat changes. Review them annually. Review them, find a way to keep doing that because I think that's where we often see the place where people can fall down with regard to this. And I know you said at the beginning that people are kind of falling in line and we're getting somewhat generic disclosure with regard to things.
11:35 - 11:36
Steve Cohen: It's a generic, but yes,
11:37 - 12:02
Melissa Hodgman: convergence. Got it. Convergence. Convergence. Apologies. Make sure that what you're doing is good for your business. You guys know what you have. You know what your risks are. You know what your clients' risks are. You can have those conversations. These need to be bespoke policies often. And so be thinking about that in this context. Just don't write something putting on the shelf and don't go forward, which is, I think, exactly what Steve was saying.
12:03 - 12:05
David Peavler: Agreed. Thanks.
12:05 - 12:28
Alec Koch: Thank you both. George, both Melissa and Steve talked about some of the issues around assessing materiality, and Corp Finn put out some guidance on that earlier this year. Can you talk a little bit about that guidance and topic and how companies might think about making a voluntary disclosure versus a required disclosure?
12:28 - 13:15
George Canellos: Sure. Sure. I might be a little indirect in my answer to that. Okay. Look, I think the rules in general were much needed, right? I think we had very little guidance in this space, and I applaud the commission for coming up, taking a stab at it. Their rulemaking, I think, is imperfect and their guidance is minimal. So as we experience the world under the new regime of these disclosure standards, I think that how enforcement and how the Commission interprets these rules, how judicious it is in exercising its discretion are critical because I really do think that
13:15 - 14:02
George Canellos: the guidance that we've received is minimal. On the cybersecurity incidence requirement under 8-K, just to sort of illustrate the challenges both for the Commission and for anyone who's seeking to comply with a rule in a way that doesn't make them vulnerable to Monday morning quarterbacking, you have the decision that the Commission made was not to be prescriptive when it comes to material, materiality, but instead to borrow the Basic v. Levinson test of materiality. What's reasonable, what's important to a reasonable investor. So there's no definition of materiality. And the standard for reporting under, the 8-K standard for
14:02 - 14:51
George Canellos: reporting is you have to report within four days of the registrant determining that the incident is material and at that point you need to describe the material aspects of the nature, the scope, and the timing of the incident, and the material impact, or reasonably likely material impact on the registrant, including financial condition and reports of operation. So nature, scope, timing, impact of financial condition, results of operation are reasonably likely. So a number of elements. And then the instructions also provide that to the extent that the information required by the rule, which, you know, is at least
14:51 - 15:42
George Canellos: five components, isn't known at the time of filing, the registrant shall include a statement to that effect And then disclose the remaining quantum of information within four days of making a determination as to those other undisclosed elements. So it really contemplates a disclosure, likely an initial disclosure that's incomplete, followed by various supplemental disclosures. So again, that's a very challenging standard right there and then. We are dealing with an area when it comes to materiality that is, you know, basically Levinson's standard has been a very handy standard for use in many contexts, but we've usually struggled in
15:42 - 16:20
George Canellos: different areas to come up with something more specific. For example, when we're talking about financial statement disclosure, the commission issued guidance under SAB 99, which has been an incredibly important source of guidance for companies in making judgments as to whether a misstatement discovered in financials is or isn't material. Here when you take the Basic v. Levinson standard and you try to apply it to cyber incidents, I think it's incredibly challenging. And I would just suggest to people that if you read the decisions that have come out or the settlements that have come out, you will be
16:20 - 17:03
George Canellos: very hard pressed to understand where the line is between material and not material. Most of the cases that you'll read or the settlements that come out, the findings will say something like a threat actor entered the system, a threat actor exfiltrated a number, like 42 gigabytes of data. The threat actor moved laterally within the system, and therefore there was some failure to disclosure, or therefore your mild disclosure that's rather generic about cyber threats was inaccurate and misleading. And you almost read these cases and say it's really just my tone of voice that makes it material. What
17:03 - 17:52
George Canellos: is 42 gigabytes of data? What kind of data? What kind of data? 42 gigabytes of data. Lateral movement. You know, you say it loud enough and it's, oh, my God, I need to disclose it. There's no clear guidance. And CorpFin's director of CorpFin, Eric Gerding, issued a statement concurrent with the issuance of the release, which I found, at least from an enforcement perspective, wasn't helpful to advancing the ball. It didn't help to explicate the definition of materiality or what might constitute something that's material. It instead focused on the fact that the new rule 1.05
17:53 - 18:37
George Canellos: of Form 8-K is mandatory, and it also highlighted that, of course, registrants are allowed to disclose anything under 8.01. And I think the way that you would normally approach a cyber incident is you'd say, consistent with guidance that's contained in the adopting release, I don't know really whether this is material or not under the definition. I can see someone arguing it is. I can see someone arguing it isn't. But let's get it out there and disclose it. What the CorpFin statement says is that it's potentially very important which provision you cite under 8-K rules when
18:37 - 19:16
George Canellos: you make the disclosure, saying it could be confusing for investors if you take something that you don't think is material and disclose it under 1.05, because 1.05 is the provision for disclosing things that you've determined to be material. So you can't just say I'm going to err in favor of caution and disclose it under 8.01 saying I've now disclosed it because CorpFin has suggested that when I do that, once it reaches the threshold of materiality, I need to make another disclosure under 8.01. So imagine I put it out, put out the news, and then I reflect
19:16 - 19:51
George Canellos: on it and I say you know what probably is material at least could be argued to be so I'm gonna file an amendment that relabels the same disclosure or supplements it a little bit and call it a disclosure under 8.01 not helpful and also you know a real recipe for Monday morning quarterbacking where someone literally could come in and say well you made this disclosure but you made it under 8.01 which heavily implies that it's immaterial and in fact we think it's material and you say well 8.01 is only used for things that companies think
19:51 - 20:23
George Canellos: are important for investors. Isn't that just also kind of the definition of material? So it's a very challenging situation because I think the Commission struggled to find a definition of material and doesn't know the answer and appropriately determine that it's a facts and circumstances test. And so we're all grappling with that uncertainty as we proceed. So I think, again, this is going to be very interesting how these general provisions get shaped in their application by enforcement.
20:24 - 20:48
Alec Koch: Great. Thank you. Before we get into the recent cases, Dave, there's one other element of the rule that we haven't really talked about, which is the national security public safety exception to the reporting provisions. And there was an example earlier this year of how those were implemented. Could you maybe talk about that a little bit and what happened with AT&T?
20:49 - 21:28
David Peavler: Yeah, and I think in response to a lot of the commentary to the original rule proposal, which was, look, a lot of these cyber events can be damaging if they're disclosed. It can lead to a lot of unintended consequences. The SEC put in an exception. It is intended and I think is in application going to be a very narrow exception that allows companies to delay disclosure where the disclosure, not the event itself, but the disclosure poses a risk to national security or the public safety. And to do that, you've got to jump through several hoops, including
21:28 - 22:08
David Peavler: getting the Attorney General to agree with you. And in response to that carve out, the SEC, FBI, and Department of Justice put out guidance last December, which is intended to provide at least some sense of how you go about this. And I think the one, a couple of common threads through all of that guidance, number 1, speed is a virtue. You don't have time to sit around and think about is this disclosure potentially going to threaten these things. You need to start making that determination almost immediately and speaking with the FBI or the Department of Justice
22:09 - 22:49
David Peavler: on that front. Secondly, and I think DOJ does a good job of explaining this, which is this is intended to be a very limited and narrow and rarely exercised exception from the standpoint that, as I think DOJ put it in their guidance, often the disclosure of a significant event is beneficial to the public. And so they really did try to push companies to the point of saying, okay, we're not going to run to DOJ every time that we think we don't want to disclose something right away and look for an exception. This summer, AT&T actually exercised
22:50 - 23:36
David Peavler: this exception or disclosed something on a delayed basis after getting two extensions from the Department of Justice of announcing a significant breach. I say significant. They actually ultimately determined that it was not considered material to the company's operations or financial results. But essentially in April, AT&T learned that virtually all, if not all, of its call logs and text message logs over several month period and prior periods had been exfiltrated, which is a word that I didn't actually know before this rule came out. But it had been exfiltrated and by some unknown actor. And it included, in
23:36 - 24:19
David Peavler: some cases, data about location. So like, I guess, the cell tower data or something that you could put pieces together. And while there wasn't other information like names or social security numbers and things of that nature AT&T had concluded that you could, with enough public information, put together what you wanted to identify some things. And they evidently went to the Department of Justice. I assume that many federal agencies, I know the SEC, use AT&T networks for various of their call systems. And so DOJ evidently made the determination that yes, the disclosure of this information would potentially
24:19 - 25:02
David Peavler: present a risk to the national security or the public safety. There's not a ton of detail about, you know, like what are all the analysis that DOJ went through and what were the precise things that DOJ was worried about. But their guidance does suggest that where there is a risk that the disclosure could compromise matters that the government is involved in, could involve techniques or efforts at cyber intrusions that are new and don't yet have a ready solution, that those are a couple of instances in which you might be able to defer this disclosure. So AT&T
25:02 - 25:37
David Peavler: came out in July fairly, I mean, I don't, I wouldn't say it was in detail, but we at least got a sense of the nature of the intrusion, what the harms apparently were and what they were not, and that they had been allowed to delay this. And so I think what we can take away, or at least what I took away and have conveyed to clients who've had this question, the bar is pretty high. At least looking at this, there was a pretty wholesale theft of information of a very significant nature, at least if combined with
25:37 - 26:11
David Peavler: other information, it would be very significant. And if you don't have that, then I think you have to be very cautious about your client because the other thing the SEC has emphasized is the clock doesn't really stop ticking while you ask Department of Justice. You know, that clock is still running and if you've made a materiality determination and DOJ is still on the sidelines, you still have disclosure obligations because I think the SEC's view is, and I think with concurrence from DOJ, disclosure is paramount. And so that's, I think, the best lesson I would take from
26:11 - 26:12
David Peavler: that incident.
26:13 - 26:44
Melissa Hodgman: And before we move on, something I want to take from George and from Dave's comments, The idea that there isn't a lot of information either in our orders or in some of these reports is actually important to your clients. The point is not to give a roadmap. The point is not to provide that kind of detail. And so as you are talking to us during investigations, you can get more information from us about materiality. You can get more information from us about how things are being applied and how things are going forward. But it's absolutely key
26:44 - 26:56
Melissa Hodgman: in this process, and we're balancing with this national security exception and what we're doing, not giving a roadmap so that people can get in or find things. And I think that that's something important for you and your clients to know.
26:57 - 27:21
Alec Koch: Melissa, earlier you mentioned Reg SCI, and we've focused mostly so far on the public company stuff and we'll get to some of the high profile orders and actions involving public companies. But there also was a settlement this year with ICE and maybe could you talk about that for a minute just to cover that?
27:21 - 28:02
Melissa Hodgman: Sure. So our reg SCI entities are those that are so systemically important they can actually bring down our system and so we had prior requirements that near basically what's required now from all public companies, IA's and BD's at this point in time, given where the market has moved and the risks have moved. And so in this instance, we had an intrusion and Reg SCI requires immediate notification to the SEC. It's very simple. You can call exams. You can send an email. It's meant to be very easy. No barrier to entry. Let us know that you've
28:02 - 28:36
Melissa Hodgman: had an event. If you can't determine immediately that it's not material. And then you have to within 24 hours disclose more information. The rule makes very clear. We understand this is early days. We understand you may make mistakes. Same thing in the rule that was put out for general cybersecurity. The idea is the SEC needs this information. We're getting it from multiple sources. We may be able to see something and know something that you all can't. We can get it to DOJ. These are all very important things in order to protect the integrity of our system
28:36 - 29:12
Melissa Hodgman: and investors and your clients and everyone else. And unfortunately, law firms are hacked. Auditors are hacked. We're all hacked. The SEC is hacked. So this information helps us in the system to do this immediately. What happened in this case was, ICE was not able, ICE was not able to determine that it was de minimis and waited, continued to investigate. It ultimately did determine that it was de minimis, but the violation had already occurred. The point is, we need that information right away in order to protect the system, protect all of you, protect all of your clients.
29:13 - 29:19
Alec Koch: Dave, any takeaways for clients you'd like to add before we move on to some of the public company cases?
29:20 - 29:53
David Peavler: Yeah, not to belabor the dissents that Commissioner's Person Ueda put in response to this case, but I do want to pick up on a couple of threads because I think again when you're advising a client about how do you respond, this is another example of number 1, where speed is of the essence. And that'd be clear, the delay here was four days. So we're not talking about four months or four years or some long period of time, we're at about four days. And I'm not entirely sure what the SEC would have done in those four days
29:53 - 30:30
David Peavler: that would have made a difference considering that ultimately the company's determination was that it was a de minimis event. But be that as it may, I think again it emphasizes the need to have within your playbook for responding to cyber events a clear statement. We've got to make a determination either that it's de minimis or make a report. That has to be in there. And the other thing I think the pickups and something Melissa said earlier which is the analysis of your playbook or your controls over this area on a regular basis. This is a situation
30:30 - 31:08
David Peavler: where ICE actually did have an escalation process within its policies and procedures. The problem, if it's a problem, is that it didn't get it to the right place until it got to a certain level of threat. And so, by the time they actually got it to the right place to make the report, four days had passed, and that's not immediate, in the SEC's opinion. And I'm not saying that facetiously, but I'm saying that is not fast enough. And so it does raise the question of going back and looking for those kinds of holes. And I suspect
31:08 - 31:47
David Peavler: companies that are subject to Reg SCI have already gone back and made sure that they don't have those same kind of holes. But I do think there is an element in this, and again to pick up what the dissent raised, which is from a common sense standpoint, it did seem a little bit harmful, punitive, a $10 million penalty, maybe it's not the biggest penalty ever, but for what amounted to a de minimis failure. In other words, they did not delay in reporting something that ultimately was significant, they delayed reporting something that was ultimately not significant. And
31:47 - 32:24
David Peavler: I think that's really the concern from, you know, what is the SEC's enforcement program trying to do in this area? I guess, and I think you can read from the order, that ICE's prior reg SDI problem from 2018 played a role. I'm guessing. I don't know that. But that is the suggestion. But I think that's the primary takeaway. Speed, again, is of the essence. And you've got to make sure that your controls match the rule that it's trying to satisfy. Well, speaking of dissents,
32:25 - 32:39
Alec Koch: Why don't we turn to the R.R. Donnelly case, which came out in June. And then we'll talk about the SolarWinds decision from about a month later. But George, do you want to touch briefly on the Donnelly case? Sure.
32:39 - 33:53
George Canellos: So the Donnelly case was a settled case, I think June 18, in the middle of the summer, and produced two dissents from Commissioners Peirce and Uyeda. The settled findings were that R.R. Donnelly company had violated the internal control provisions of the ’34 Act, Section 13(b)(2)(B), as well as the SEC Rule 13a-15A, which requires public companies to have disclosure controls. The case essentially involves findings that Findings that represent a broad criticism of R.R. Donnelly's cybersecurity measures and standards and approaches and a criticism in particular of the way it handled a cybersecurity incident that took place in 2021
33:53 - 34:40
George Canellos: that involved some degree of intrusion and exfiltration over about a three-week period before R.R. Donnelly brought in outside experts to address the issue. But essentially, the findings are all focused on intrusion detection systems and procedures and describes, you know, just to take a few examples of the kinds of findings, despite the high volume and complexity of alerts that it received from a third-party vendor, R.R. Donnelly did not reasonably manage the allocation of resources of the third-party manager. It didn't have sufficient procedures to audit and oversee this third party that was involved. It had some of its
34:40 - 35:27
George Canellos: own staff devoted to addressing alerts, but they were allocated tasks of reviewing and responding to these escalated alerts. At the same time as they had other significant responsibilities, failed to assign responsibilities clearly, just a general criticism of the manner in which they handled this incident and generally how their act together, and then concluded that that meant that their internal accounting controls didn't meet the statutory standard and that their disclosure controls didn't meet the regulatory standard. And in particular, for internal controls, the findings focused on the fact that public companies are required to have internal accounting controls
35:27 - 36:14
George Canellos: that are reasonably designed to achieve a number of things. And one of the things that they're required to be reasonably designed to achieve is to ensure that access to assets is permitted only in accordance with management's general or specific authorization. So the specific finding was that the internal computer systems of R.R. Donley are important assets of the company and that the procedural infirmities in the manner in which the company, you know, polices for and manages cyber security meant that there weren't reasonable safeguards to ensure that those people who access this valuable asset are only people who
36:14 - 37:01
George Canellos: are doing so in accordance with management's general and specific authorization. That was the specific finding. And when it comes to Rule 13a-15, the finding was essentially that these procedures also didn't cause the communication and elevation of information about the incident in a way consistent with the affirmative obligation of the rule, which is, you know, it must be designed to ensure that information required to be disclosed by the issuer in reports that it files is elevated to the attention of those people who make decisions about disclosure. Interestingly this is a 2021, the conduct was in 2021 before
37:01 - 37:53
George Canellos: the new rules were in place, so there were no specific requirements of disclosure, but obviously there may be requirements implicit and explicit in Reg S-K and other provisions for disclosure. So those were the findings. The dissent, the dissenting statement focuses on the notion that you can take a rule focuses only on the internal control element of the findings and focuses on the aspect of the opinion that holds that cyber controls can be viewed as accounting, internal accounting controls. And an interesting segue to the SolarWinds decision that came out a month later, the reasoning of the dissent
37:53 - 38:34
George Canellos: is a little different, but essentially the dissent's position is that the internal control requirements of the ’34 Act come from AICPA standards. They clearly meant to distinguish between administrative protections and safeguards and those that are accounting or control-related. And accounting and control-related provisions have to do with recording and the integrity of managing transactions. It doesn't have to do with any and all assets. And although it doesn't say it in this sense, it kind of, you know, the SolarWinds decision by Judge Engelmayer kind of does. The point is, if you carry to its logical extreme the idea
38:34 - 39:12
George Canellos: that you're supposed to have procedures that are designed to ensure that your assets can't be accessed without management's approval, it would mean how thick your door is, how many locks you have on your door can be prescribed by the SEC and all interpolated through the lens of this provision. So it would in their view be a vast arrogation to the SEC of authority that the SEC wasn't intended to have under this provision. Interestingly the dissent does not extend to the finding that a violation of disclosure controls took place. And that is a provision that's been around
39:12 - 39:56
George Canellos: since shortly after Sarbanes-Oxley was adopted, has been interpreted very, very few times, and has a number of kind of interesting elements to it that were addressed to some extent by Judge Engelmayer. But, you know, one thing that I remember noting when that rule first came out is that all these other general provisions that prescribe controls and procedures say you need to have policies and procedures that are reasonably designed to seek to achieve certain goals, The disclosure control rule doesn't have reasonable in it. It just says you need to have some controls to seek to achieve this
39:56 - 40:34
George Canellos: goal. one way to read it is that as long as you have something, it's adequate. It doesn't have to meet a reasonableness standard. Another way to read it is it's absolute strict liability, because you need to achieve, you need to have rules, policies and controls to achieve the standard. No one's really grappled with that issue, cases have all been settled, and this dissent doesn't really shed light on it. But it does leave open basically a very sound enforcement tool for the SEC to say anything that we don't like about your cyber policies and procedures, we think
40:34 - 40:52
George Canellos: failed disclosure control standard and even our dissenting commissioners don't disagree with that. And I also don't think the SolarWinds decision necessarily dense that interpretation of disclosure control.
40:52 - 40:58
Alec Koch: So I think with that maybe, I think Steve and others, I think we're gonna talk a little bit about SolarWinds. Peter hasn't done a very good job because we have four minutes left to talk about solar winds.
40:58 - 41:00
Melissa Hodgman: I think you've done a great job.
41:01 - 41:05
Alec Koch: Yeah, I'll be bad. Steve, do you wanna cover that? Yeah, stay with me.
41:05 - 41:42
Steve Cohen: I think I have to do this in a speed round. I think most people who practice even remotely near cyber issues know the backdrop about Sunburst. It was the most sophisticated nation state actor attack in the U.S.’s history. And what I'm going to focus on is Judge Engelmayer's decision. As folks know, the case was brought against the company and the CISO, the Chief Information Security Officer for allegedly misleading disclosures, a whole different type, a host of them, 8-K pre-incident and post-incident disclosures in periodic filings and non-periodic filings. And so just to kind of hit with where
41:42 - 42:16
Steve Cohen: the judge landed, I guess first I would say the case did survive, a very, very small part of it, and the piece that survived against Bolsa Company and the CISO, interestingly, has nothing to do with the incident disclosures or 8-Ks or 10-Ks or anything like it, but a security incident statement that was on the company's website that the court found the allegations sufficiently alleged for years before the attack included information about supposedly strong cyber security measures and other things. And the court said that there were sufficient allegations that those were misleading for the case to go forward.
42:18 - 42:55
Steve Cohen: All of the 8-K and 10-K pre and post incident disclosures, those aspects of the broad case were all dismissed, which is an interesting relation to the rule. And here's where I do think it's relevant, because I do think the quits as one district court, but it gives some insight into how a court might look at the SEC's attempts to look, with the benefit of hindsight, at how a company discloses not only its program, because the court dismissed the allegations generally about those disclosures, which it incorporated by reference into their periodic filings, but also the 8-Ks following the incident,
42:56 - 43:32
Steve Cohen: which the court found the allegations were ill-pled and impermissibly relied on hindsight and speculation. So I think disclosure, this is guess where it was disclosed, and I think the court said the manner in which it was disclosed was sufficient. I think I'll just jump to I think what we were getting at before it's important. I think internal control claims. So the court did take on this notion, addressed by this end, that the internal controls over financial reporting provisions do not apply to cybersecurity disclosures. And that's an important decision because it's broad in the sense that it
43:32 - 44:10
Steve Cohen: would, it clearly applies to cybersecurity disclosures, could be read to apply to other things that are not directly applicable to a company's accounting controls, financial controls. And it was pretty harsh, I think, if you read it. It called the claims not tenable, dismissed all of the SEC's precedents. The SEC raised an interesting or novel needs argument, and this is really the issue, this is on the issue that George was talking about, which is this idea of assets, you know, approvals regarding assets consisting with management's general or specific authorization. And the court said, Congress does not hide
44:10 - 44:50
Steve Cohen: elephants in mouth holes, and really rejected out of hand the idea that this part of section 13(b)(2) applies to cybersecurity disclosures, rejected the history and purpose arguments, was pretty straightforward and dismissive. The last thing I want to point out, because it's also related, and this was a pre-rule case, which is important to note, But the other thing is the court did find that the SEC inadequately pled disclosure controls failures by the company. And they said you can't bring a case because the SEC believes that certain incidents were misdescribed, that they had controls. They had controls. They disclosed the controls and the court found that that was good enough.
44:50 - 45:00
Alec Koch. So I planned to give Melissa time to rebut, but I think we are out of time. So thank you all for your attention, and look forward to the next panel. Thank you, Dr. Hicks. And look forward to next time.