The U.S. Securities and Exchange Commission’s (SEC) Division of Enforcement has intensified its focus on significant areas of compliance for public companies. Recent actions have targeted cybersecurity incident disclosures, director independence misrepresentations, and violations of Regulation Fair Disclosure (Reg FD). Here’s what you need to know about these developments and how they could impact your company.

Cyber Disclosure Enforcement Actions

On October 22, 2024, the SEC announced charges against four companies for making materially misleading statements about cybersecurity incidents. One company also faced allegations of failing to maintain adequate disclosure controls. These cases stem from an investigation into public companies affected by the SolarWinds Orion software breach. The civil penalties agreed upon by these companies range from $990,000 to $4 million.

The SEC’s findings revealed that, despite knowing their systems had been breached, these companies downplayed the extent of the incidents in their disclosures. For instance, one company reported cybersecurity risks as hypothetical in its Form 10-K, even though it had already suffered two major breaches involving the unauthorized transfer of large volumes of data. The SEC pointed out that the company's incident response policies failed to ensure cybersecurity information reached disclosure decision-makers, contributing to materially misleading statements.

A foreign issuer similarly downplayed the impact of the SolarWinds breach in its Form 20-F, omitting critical cybersecurity risks. Another company inaccurately minimized the breach in its Form 10-Q, despite significant evidence of ongoing unauthorized access. The SEC stressed the importance of providing accurate and comprehensive disclosures and warned against framing known cybersecurity risks as hypothetical or generic.

Key Takeaways for Public Companies:

• Avoid Hypothetical Descriptions: Disclose cybersecurity risks accurately when they have already materialized.

• Strengthen Disclosure Controls: Ensure material cybersecurity incidents are promptly escalated to key decision-makers.

• Provide Balanced and Transparent Disclosures: Quantifying aspects of a breach while omitting other material details can be misleading. However, be cautious not to disclose sensitive information that could further compromise security.

• Assess Materiality in Context: Consider the potential impact of nation-state actors or significant hacking groups on your business.

Commissioners Peirce and Uyeda dissented, arguing that the SEC's approach constitutes regulation by enforcement and questioned the materiality of some omitted details.

Director Independence

On September 30, 2024, the SEC charged James Craigie, a former corporate director, for violating proxy disclosure rules by concealing a close personal relationship with a high-ranking executive. This omission led to misleading statements about his independence in the company’s proxy filings. Craigie, a former CEO turned independent director, reportedly failed to disclose this relationship in D&O questionnaires, despite going on luxury vacations with the executive and discussing board matters that should have remained confidential.

The SEC determined that Craigie’s actions undermined the independence standards required under stock exchange rules and the company’s governance guidelines. As a seasoned public company director, Craigie was deemed to have known the significance of disclosing such relationships, yet he repeatedly failed to do so. The case serves as a crucial reminder of the importance of thoroughly evaluating director independence.

Key Takeaways for Companies:

• Understand Independence Standards: Evaluate relationships, including close personal friendships, that could compromise director independence.

• Detail D&O Questionnaires: Ensure these forms ask direct questions about personal and professional relationships that might impair independence.

• Educate Directors on Disclosure Obligations: Emphasize the serious consequences of failing to disclose material relationships accurately.

Reg FD Violations for Social Media Disclosures

On September 26, 2024, the SEC charged DraftKings Inc. with Reg FD violations after a public relations firm inadvertently posted material nonpublic information (MNPI) on the CEO’s personal social media accounts. The posts, which shared earnings data, were taken down within 30 minutes, but the company failed to make a prompt public disclosure, as required by Reg FD. Instead, the information was only disclosed a week later during the scheduled earnings release.

The company’s social media policy and Reg FD guidelines had been violated, leading to a settlement that required enhanced training for all employees involved in corporate communications.

Key Takeaways for Companies:

• Oversight of External Providers: Ensure external PR firms and social media managers comply with Reg FD policies.

• Monitor Executive Accounts: Verify that executives’ social media posts do not contain MNPI.

• Educate on Reg FD Compliance: Provide regular training on Reg FD requirements and social media use to prevent inadvertent disclosures.

These enforcement actions highlight the SEC's vigilance and the need for public companies to strengthen their compliance practices. Understanding these key areas can help mitigate risks and ensure more robust governance.

* * *

Attorney Advertising—Anderson P.C. is a U.S. law firm and provides this information as a service to clients, prospective clients, and other friends for educational purposes only. It should not be construed or relied on as legal advice or to create a lawyer-client relationship.

Anderson P.C. is a boutique law firm dedicated to defending clients in government investigations and securities enforcement actions initiated by the SEC, FINRA, DOJ, and other regulatory bodies. We provide focused, strategic counsel and regulatory guidance across the full spectrum of federal laws and regulations affecting broker-dealers, investment advisers, banks, asset managers, private funds, public companies, senior executives, and digital assets. Our deep expertise allows us to navigate complex legal challenges and deliver results-driven solutions tailored to our clients' unique needs.

If you have any questions or need legal assistance related to government investigations, securities enforcement actions, or regulatory compliance, please don't hesitate to contact us. Our team at Anderson P.C. is here to provide the expert guidance and support you need to navigate these complex challenges.