The U.S. government suffers possibly its most compromising cybersecurity attack and the public’s best source for reliable information is … the SEC? Head-scratching, but arguably true.
A large cyber hack campaign attributed to Russia first came to light when malware protection firm FireEye disclosed, simultaneously on its company blog and in an SEC Form 8-K filed on Dec. 8 (and updated Dec. 14), that it had been hacked. According to SolarWinds Corp.’s Form 8-K, filed the same day as FireEye’s update, saboteurs added malware to the Orion monitoring product updates that were uploaded to government and private-sector computers. FireEye’s computers were among those infected.
What Did SolarWinds and FireEye Disclose?
SEC disclosures provide investors with timely, material information to help them make informed investment decisions.
In this cybersecurity event, SolarWinds disclosed the malware as an “other event” in its Form 8-K. That’s a catch-all for uncategorized but important events for security holders, not one of the form’s many specified financial events. (According to the SEC: “The registrant can use this Item to report events that are not specifically called for by Form 8-K, that the registrant considers to be of importance to security holders.”) In the disclosure, SolarWinds reported that as many as 18,000 of its customers may have been exposed via SolarWinds’ Orion monitoring products—products that represent a very material 45% of the company’s revenues.
The attack on FireEye, discovered after it found a suspicious login, goes to the heart of its cybersecurity protection business model.
FireEye’s customers include such highly sensitive entities as nation-states, defense firms, large energy concerns, and tech companies.
The target was certain Red Team assessment tools—tools used to bypass customers’ networks to test their security. FireEye’s Dec. 14 Form 8-K implicated a malicious SolarWinds software update as the door that allowed hackers remote access to its systems.
The company claimed it has found no evidence that data was exfiltrated from its primary systems, which store customer information, but promised to contact any customer directly if their information was in fact stolen.
SEC Guidance for Hacks
Hacks of significant magnitude and seriousness would seem to demand a combination of prescriptive disclosure (i.e., disclosure of everything specifically requested under SEC Rules) and facts-and-circumstances disclosure (i.e., which disclosure is called for based on the nature of a particular event) to account for the uniqueness of every situation.
SEC staff has advised reporting companies that cybersecurity incidents are “among the most significant factors that make an investment in the company speculative or risky” and therefore must be disclosed. The commission released additional cybersecurity disclosure guidance in 2018, with a continuing focus on giving investors the information they need to assess a given company’s financial prospects, rather than giving individuals, companies, and government agencies the information that they would find important or helpful in managing their response to an incident.
The SEC sometimes brings enforcement actions against companies that fail to disclose hacks, as it did against the entity formerly known as Yahoo! after the company misled investors by not disclosing a breach affecting over 500 million user accounts. In 2018, Yahoo! agreed to pay a $35 million penalty to settle the SEC’s charges.
The Limits of SEC Disclosures
In this recent cybersecurity attack, both SolarWinds and FireEye made their required SEC disclosures. The disclosures do not—and were never intended to—provide information to consumers, supply chain partners, other federal and state government agencies, or international governments with an interest in the disclosed information.
Why? The SEC disclosure regime typically does not regulate public disclosures by nonreporting companies or individuals, absent a financial interest or holding an officer or director position in a reporting company.
Furthermore, the Form 8-K disclosure regime is standards-based. As such, it is very likely that companies will refrain from disclosing information that may arguably be irrelevant to a materiality standard—even if that information is needed by other parties. For example, an SEC disclosure of a hack might not report which individuals or corporate interlocutors were impacted; they may only describe generally which information is at risk.
The gaps in the disclosure regime are enormous. Companies with no SEC reporting obligations are not covered, and extremely large companies, be they defense contractors or tech firms, may have operations so vast that only the most significant of cyber hacks would materially affect their finances, triggering a disclosure obligation.
In assessing materiality for reporting obligation purposes, the SEC advises that companies generally weigh “the potential materiality of any identified risk and, in the case of incidents, the importance of any compromised information and of the impact of the incident on the company’s operations.” Public companies are required by the SEC to report when one or more cybersecurity incidents materially affects the company’s finances, operations, or liquidity; or presents risks of litigation, regulatory investigations, harm to reputation, increased insurance costs, or potential harm to its products, services, and customer and vendor relations.
It’s disconcerting to remember that, were FireEye and SolarWinds not public companies that complied with their reporting obligations, there would have been no SEC disclosure in the wake of these hacks. There are far fewer public companies than decades past, and they are now outnumbered almost 2-to-1 by private companies. This makes SEC disclosure surprisingly hit-or-miss whenever a hack occurs.
A Need for Broader, Deeper, Quicker Disclosure
What government mechanisms exist to handle the dissemination of material, non-investor information? Some in the federal government have downplayed the seriousness of these ongoing attacks. Yet the targets include some of the most sensitive government agencies and all five branches of the U.S. military, not to mention 85% of the Fortune 500. It is concerning that it apparently was FireEye that notified the FBI, and not vice-versa.
Practically speaking, government intelligence agencies cannot always be on top of the vast array of cyber threats affecting the United States. But some companies tend to sit on information after they are hacked, even when disclosure via an SEC filing is clearly required.
Computer hacks are nothing new. Cybersecurity breaches demand timely public disclosure to those whose information has been put at risk. Those made vulnerable should not have to rely so heavily on the SEC for urgent disclosures to get us the kind of information we need from companies.
The SEC cannot do all the heavy lifting on getting cyber hack information to the people who need it. Nor should it have to. Its disclosure-related role is simply to keep investors informed about publicly traded companies. Overburdening the SEC with disclosure collection and dissemination mandates not related to protecting investors runs the risk of distracting the SEC from its core mission and failing to ensure that the information needed by victims of cyber breaches actually reaches them in a timely manner.
Bloomberg Law subscribers can find related content on our Securities Practice Center: Periodic Reporting resource.
If you’re reading this on the Bloomberg Terminal, please run BLAW OUT<GO> in order to access the hyperlinked content.