The U.S. Securities and Exchange Commission (SEC) has guidelines and rules that relate to how publicly traded companies must handle and disclose data breaches. These rules are primarily focused on ensuring that companies provide timely, accurate, and comprehensive information to investors about risks and incidents that could affect their investment decisions. Key aspects of these rules include:
- Disclosure Requirements: Publicly traded companies are required to disclose material information that could affect an investor’s decision to buy, sell, or hold the company’s securities. A data breach can be considered material if it poses a significant risk to the company’s business, financial condition, or reputation.
- Regulation S-K: This regulation provides the SEC’s requirements for non-financial statement disclosures. It includes guidelines on how companies should disclose cybersecurity risks and incidents. The guidance emphasizes that companies should consider the materiality of cybersecurity risks and incidents when preparing disclosures in their periodic and current reports.
- Regulation FD (Fair Disclosure): This regulation requires that publicly traded companies disclose material information to all investors at the same time. If a company selectively discloses material nonpublic information about a data breach (or any other issue) to certain people, it must make that information publicly available simultaneously.
- Cybersecurity Risk Management Policies: While the SEC does not specifically mandate how companies should manage cybersecurity risks, it strongly advises companies to implement comprehensive cybersecurity policies and procedures. These policies should be designed to prevent, detect, and minimize the impact of cybersecurity incidents.
- Reporting Timelines: The SEC does not provide specific timelines for reporting data breaches. However, companies are expected to report material information in a timely manner. The timing of disclosure depends on the nature of the cybersecurity incident and the company’s assessment of its materiality.
- Internal Controls: Companies are expected to have appropriate internal controls in place to ensure that relevant information about cybersecurity risks and incidents is properly identified, processed, and disclosed.
- Whistleblower Protections: The SEC has provisions that protect whistleblowers who report violations of securities laws, including mishandling of data breaches or failure to disclose them appropriately.
It’s important for companies to regularly review and update their disclosure practices in light of evolving cybersecurity risks and SEC guidelines. Additionally, because the regulatory landscape is continually changing, companies need to stay informed about new developments and adjust their policies and disclosures accordingly.
Fines & Penality
The fines and penalties imposed by the U.S. Securities and Exchange Commission (SEC) for violations related to data breaches and inadequate disclosures can vary significantly based on the severity and nature of the violation. Here are some key points regarding these fines:
- Civil Penalties: The SEC can impose civil penalties on companies and individuals for violations of securities laws. These penalties can be substantial, often running into millions of dollars, depending on factors like the gravity of the violation, the harm caused to investors, and the benefits received by the violator.
- Disgorgement of Profits: In addition to fines, the SEC can require violators to disgorge any profits gained or losses avoided from the illegal activity. This is particularly relevant in cases where insider trading or fraudulent activities are involved.
- Cease-and-Desist Orders: The SEC may issue cease-and-desist orders, which require the violator to stop the unlawful behavior and take steps to prevent future violations. This can include improving cybersecurity measures and disclosure practices.
- Officer and Director Bars: In more severe cases, individuals, especially those in high-level positions, may be barred from serving as officers or directors of any SEC-registered public company.
- Additional Sanctions: The SEC can also impose other sanctions, such as revoking a company’s registration, imposing restrictions on future trading, and referring the case for criminal prosecution, which could lead to more severe penalties including imprisonment.
- Factors Influencing Fines: The size of the fine is influenced by several factors, including the egregiousness of the misconduct, the extent of cooperation with the SEC during the investigation, and the efforts taken by the company to remediate the harm.
- Examples of High-Profile Cases: In the past, companies have faced significant fines for failing to promptly disclose data breaches. For example, in 2018, Altaba, formerly known as Yahoo!, agreed to pay a $35 million penalty to settle charges of misleading investors by failing to disclose one of the world’s largest data breaches.
It’s important to note that these fines and penalties are determined on a case-by-case basis, and the SEC considers various aspects of each individual case before deciding on the appropriate sanctions. Companies are strongly advised to adhere to SEC guidelines and to seek legal counsel in matters relating to potential violations of securities laws.
How to file a anonymous complaint to the U.S. Securities and Exchange Commission (SEC)
Reporting an anonymous complaint to the U.S. Securities and Exchange Commission (SEC) about a company that leaked customer data involves a few key steps:
- Understanding What to Report: Before filing a complaint, ensure that the issue falls under the SEC’s jurisdiction. The SEC typically handles violations of securities laws, which may include issues related to a public company’s disclosure of information that could affect investors’ decisions. A data leak, depending on the circumstances, might fall under this category if it impacts the company’s stock or investor interests.
- Gathering Information: Collect as much information as possible about the violation. This includes details about the company, the nature of the data leak, how you became aware of it, and any other relevant details. The more specific the information, the more useful it will be for the SEC’s investigation.
- Using the SEC’s Online Tip, Complaint, and Referral (TCR) System: The SEC has an online system for submitting tips, complaints, and referrals. You can access it through the SEC’s website. This system allows you to submit your complaint electronically.
- Choosing to Remain Anonymous: When using the TCR system, you have the option to submit your complaint anonymously. However, if you want to be considered for a whistleblower award, you must be represented by an attorney who submits your information on your behalf. The attorney can submit your tip anonymously, but they must know your identity.
- Filling Out the Form: The TCR system will prompt you to fill out a form with various details about your complaint. Provide as much information as you can. If you are submitting the form anonymously, ensure that you do not include any personal information that could identify you.
- Submitting the Complaint: Once you have completed the form, submit it through the TCR system. The SEC will receive your complaint and review it for potential action.
- Following Up (If Desired): If you have submitted your complaint anonymously and without an attorney, you will not receive updates on the status of your complaint. If you have an attorney, they can inquire about the case status on your behalf.
It’s important to note that while the SEC takes all complaints seriously, not all complaints will lead to an investigation or action. The SEC’s ability to take action depends on various factors, including the nature of the alleged violation and the evidence provided.
For more specific guidance or legal advice, consider consulting with a legal professional, especially if you are considering applying for a whistleblower award.
Ransomware Gang Files An SEC Complaint
The Alphv ransomware gang, also known as BlackCat, has reportedly taken the unprecedented step of filing a complaint with the U.S. Securities and Exchange Commission (SEC) against MeridianLink, a digital lending technology vendor. This action follows the gang’s claim of compromising MeridianLink’s network on November 7 and stealing company data without encrypting systems.
According to the ransomware group, MeridianLink did not disclose the cyberattack within the stipulated four-day period as required under the SEC’s cybersecurity incident disclosure rules. These rules, announced in July, mandate publicly traded companies to report cyberattacks that have a material impact. The requirement to disclose such incidents on Form 8-K within four business days came into effect in September. However, for larger companies, this requirement will not be enforced until December 18, 2023, while smaller organizations have until June 2024 to comply.
MeridianLink, in response to the incident, acknowledged experiencing a cybersecurity incident. The company stated that upon discovering the incident, they acted immediately to contain the threat and engaged third-party experts to investigate. They also mentioned that their investigation, as of now, has found no evidence of unauthorized access to their production platforms and that the incident caused minimal business interruption. MeridianLink also committed to notifying affected parties if they determine that consumer personal information was involved in the incident.
An SEC spokesperson declined to comment on this specific incident. However, legal experts view Alphv’s tactic of reporting the victim to the SEC as a natural evolution of efforts by ransomware groups to increase pressure on victims to pay and cooperate. This approach is expected to accelerate the decision-making process within victim companies, especially when they must consider whether to report an incident, anticipating that the market, investors, and the SEC will become aware of the incident before the company has provided disclosure on an 8-K form.
This incident represents a novel intersection between cybercrime and regulatory compliance, highlighting the evolving strategies of ransomware groups to exert pressure on their targets. It also underscores the increasing importance for companies to swiftly and accurately report cybersecurity incidents in compliance with regulatory requirements.
Information security specialist, currently working as risk infrastructure specialist & investigator.
15 years of experience in risk and control process, security audit support, business continuity design and support, workgroup management and information security standards.