SEC Takes a Dim View of Sugar-Coating Cybersecurity Breaches
On August 16, the Securities and Exchange Commission announced an enforcement action against Pearson plc, a company that provides educational publishing and other services to schools and universities. The SEC’s order finds that Pearson misled investors about a 2018 cyber intrusion. The case is a reminder of the disclosure implications of cybersecurity breaches and of the risks of failing to promptly inform investors of such incidents or downplaying their severity. It also highlights the importance of regularly reviewing risk factor disclosure and of not repeating the same risk disclosure as in prior filings when the underlying facts have changed.
Pearson is a U.K. company with shares traded on the London Stock Exchange and American Depository Receipts listed on the New York Stock Exchange. Among the services it offers to educational institutions is web-based software for entering and tracking students’ academic performance.
According to the SEC’s order, on March 21, 2019, Pearson learned that data stored on one of its servers had been accessed and downloaded by a hacker who exploited an unpatched server vulnerability. Although the server software manufacturer had publicized the vulnerability six months earlier and issued a patch, Pearson did not implement the patch until after it learned of the attack. As a result of the breach, the intruder obtained millions of student records, including birthdates and email addresses, along with school district personnel usernames and weakly encrypted passwords. Pearson mailed a breach notice to the affected customers but concluded that no public disclosure was necessary.
On July 25, 2019, Pearson furnished to the SEC a report on Form 6-K of its results for the first six months of 2019. In the “Principal risks and uncertainties” section of that report, Pearson stated that a “[r]isk of a data privacy incident or other failure to comply with data privacy regulations and standards and/or a weakness in information security, including a failure to prevent or detect a malicious attack on our systems, could result in a major data privacy or confidentiality breach causing damage to the customer experience and our reputational damage, a breach of regulations and financial loss.” (emphasis added) The same statement had appeared in its prior Forms 6-K.
On July 31, a reporter informed Pearson that an article would soon be published revealing the data breach. That evening, Pearson posted a statement on its website regarding the breach. The SEC finds that this statement was misleading in several respects, including –
The statement described the incident as involving “unauthorized access” to data, when in fact Pearson was aware that the hacker had removed -- not merely accessed -- data from the compromised server.
The statement said that the data in question “may include date of birth and/or email address” when in fact Pearson was aware that approximately half of the exfiltrated data contained birthdates and that approximately 290,000 contained email addresses.
The statement asserted that “Protecting our customers’ information is of critical importance to us. We have strict data protections in place and have reviewed this incident, found and fixed the vulnerability.” Pearson did not however reveal that the hacker obtained access to its server through a vulnerability of which Pearson had been notified and failed to patch for six months after notification.
In the SEC’s view, the Pearson cybersecurity breach was material for securities law disclosure purposes. The order explains:
“The breach at issue was material because Pearson’s business * * * involved collection and storage of large quantities of private data on school-age children around the world. As Pearson acknowledged in its risk disclosures, Pearson ‘holds large volumes of personally identifiable information,’ and its reputation and ability to attract and retain revenue depended in part on its ability ‘to adequately protect personally identifiable information.’ This breach involved a compromise of a server holding a large quantity of data Pearson was responsible for protecting * * *. It also involved lapses in Pearson’s protection of that data.”
The SEC also finds that Pearson’s processes and procedures around the drafting of its July 26, 2019 Form 6-K disclosures and its July 31, 2019 public statement failed to inform company personnel responsible for disclosure of certain information about the circumstances surrounding the breach. “Although protecting student and user data is critical to Pearson’s business, and Pearson had identified the potential for improper access to such data as a significant risk, it failed in this way to maintain disclosure controls and procedures designed to analyze or assess such incidents for potential disclosure in the company’s filings.”
On the basis of these findings, the SEC concludes that Pearson violated various provisions of the federal securities laws that prohibit untrue or materially misleading public statements or the furnishing of inaccurate or misleading information to the Commission. The company also violated SEC rules requiring the maintenance of disclosure controls and procedures designed to ensure the recoding of information required to be disclosed in reports filed with or furnished to the SEC.
Settlement and Sanctions
Without admitting or denying the SEC’s findings, Pearson agreed to a cease-and-desist order prohibiting future violations and to payment of a civil money penalty of $1 million to settle the proceeding. The order notes that, in accepting the settlement, the SEC considered Pearson’s cooperation with the SEC staff.
Comment: Pearson illustrates several points that audit committees should keep in mind if the company finds itself in the position of dealing with a cybersecurity breach or vulnerability.
Cybersecurity disclosure is a top SEC priority. The Commission’s staff is likely to scrutinize closely any public statement or filing concerning a cyber breach. In June, the SEC brought a case similar to Pearson in which it alleged that a financial institution’s inadequate disclosure controls resulted in incomplete public statements and filings regarding a cybersecurity vulnerability. Additional cases of this nature are likely. Further, the Commission announced in June that the Division of Corporation Finance is considering rules to enhance issuer disclosures regarding cybersecurity risk governance. See The SEC’s Agenda – ESG Tops the List, July 2021 Update. In light of this emphasis, disclosures related to cybersecurity matters need to be carefully drafted, preferably with input from experienced SEC counsel.
In considering whether a breach is material for purposes of securities law disclosure, factors beyond the direct cost of the breach need to be weighed. As the Pearson order makes clear, in assessing materiality, the SEC will look to the potential impact on the company’s reputation and future ability to attract revenue and to the company’s responsibility to protect the privacy of third parties. Also, risk factor discussion of the importance of cybersecurity may be evidence of the materiality of a breach. The best approach may be to start with a presumption that any cybersecurity breach is material, unless the consequences are clearly trivial.
If the company becomes aware of a breach, existing disclosures regarding cybersecurity risks should be reviewed and modified as necessary. Risk factor or other disclosures regarding the possibility that a cyber breach could occur are likely to be misleading after a breach does occur.
A key lesson of Pearson is the importance of well-thought-out disclosure controls and procedures. In both Pearson and the prior case mentioned above, a fundamental problem seems to have been that important information regarding a cyber vulnerability or breach was not fully communicated to those responsible for disclosure. In overseeing the effectiveness of the company’s disclosure controls, the audit committee may want to consider whether the company’s procedures recognize the importance of this line of communication.