ELTENI’S CYBER SCOOP
Latest News
In this newsletter, we focus on the SEC creation of the Cyber and Emerging Technologies Unit (CETU), challenges identifying materiality of cyber incidents and the continued focus on cybersecurity disclosures.
REGULATORY CORNER
SEC Commissioners on the Hunt for Materiality: Disagree on Cybersecurity Enforcement Actions
On October 22, 2024, Republican SEC Commissioners Hester Peirce and Mark Uyeda issued a joint dissent sharply criticizing charges brought against four companies for allegedly making materially misleading disclosures regarding cybersecurity. The charges stemmed from the SEC’s investigation into public companies impacted by the widespread 2019–2020 compromise of SolarWinds’ Orion software. The companies agreed to pay civil penalties ranging from $900,000 to $4 million.
According to the SEC’s orders against the four companies — Unisys Corp., Avaya Holdings Corp., Check Point Software Technologies Ltd., and Mimecast Ltd. — each was aware that a threat actor had accessed their systems as a result of the SolarWinds Orion hack but negligently minimized these cybersecurity incidents in public disclosures filed with the SEC.
The dissent characterizes the enforcement allegations as being of two types:
(1) Failing to disclose material information (in the cases of Avaya and Mimecast); and
(2) Failing to update an existing risk factor in response to a cyberattack (in the cases of Check Point and Unisys).
Notes
The dissenting opinions reflect concerns that the agency may be overreaching in its pursuit of transparency, potentially penalizing companies for not disclosing details that may not have been materially relevant to investors. This case underscores the evolving nature of cybersecurity compliance and the increasing pressure on organizations to provide clear, defensible disclosures. As regulatory expectations grow, companies must refine their incident response strategies to ensure they not only comply with SEC rules but also communicate cyber risks in a way that genuinely informs investors without unnecessary speculation or over-disclosure. If the SEC begins enforcing a stricter disclosure standard, companies may struggle with the balance between timely, relevant reporting and avoiding excessive regulatory scrutiny.
SEC Commissioners on the Hunt for Materiality | JDSupra
ENFORCEMENT NEWS
SEC Charges Flagstar for Misleading Investors About Cyber Breach
The SEC’s order found that Flagstar negligently made materially misleading statements regarding the Citrix Breach, which resulted in, among other things, the encryption of data, network disruptions, and the exfiltration of the personally identifiable information (“PII”) of approximately 1.5 million individuals, including customers. According to the order, the risk factors in Flagstar’s 2021 Form 10-K, which it filed on March 1, 2022, stated that cybersecurity attacks “may interrupt our business or compromise the sensitive data of our customers,” but Flagstar did not disclose that Flagstar had already experienced cybersecurity attacks that resulted in the exfiltration of sensitive customer data and that the Citrix Breach interrupted its business.
Without admitting or denying the findings in the SEC’s order, Flagstar agreed to cease and desist from committing or causing any violations of these provisions and to pay a $3.55 million civil money penalty.
Notes
This case highlights the growing regulatory scrutiny around cybersecurity disclosures and the broader implications for businesses that fail to provide accurate and timely information. In an era where cyber threats are a constant risk, organizations must implement strong security frameworks and, just as importantly, establish rigorous internal processes to assess and disclose incidents properly. Inadequate reporting hinders informed decision-making. Investors rely on accurate disclosures to assess a company’s risk exposure, while customers need to know if their data has been compromised. Without clear and honest communication, stakeholders are left in the dark, increasing the potential for reputational harm and long-term financial instability.
SEC Charges Flagstar for Misleading Investors About Cyber Breach | SEC.gov
CYBER NEWS
SEC Announces Cyber and Emerging Technologies Unit to Protect Retail Investors | SEC.gov
With rapid technological innovation and the rise of digital platforms, protecting retail investors is crucial, as they are often vulnerable to sophisticated fraud. Before CETU, the SEC had units like the Office of Investor Education and Advocacy and the Division of Enforcement to address fraud and misconduct. The Crypto Assets and Cyber Unit also focused on digital assets and cybersecurity. CETU expands on these efforts, offering a more specialized focus on emerging technologies for enhanced investor protection.
Study finds ‘significant uptick’ in cybersecurity disclosures to SEC | CyberScoop
The SEC’s new cybersecurity disclosure rules took effect in 2023 and since then, public companies have reported a 60% increase in cybersecurity incidents—with 78% of these reports filed within eight days of discovering an incident. Despite the surge, less than 10% of disclosures include details on the material impact of these incidents. The report by Paul Hastings LLP highlights how companies struggle to balance rapid disclosure (to avoid SEC penalties) with the need to protect sensitive operational details.
Lock All The Doors: The Cybersecurity Risks Of Overlooked Devices In Computer Networks | Forbes
Governments are starting to demand tougher security rules for IoT devices and appliances, but progress is slow and there’s no guarantee new regulations will stick. At the same time, many organizations are unaware of the solutions available to address IoT security gaps. Raising awareness is critical. Companies should regularly ask themselves: What devices on our network aren’t being monitored? How can we improve visibility into their activity?
Data Suggests It’s Time to Rethink Cloud Permissions | DarkReading
In the age of cloud computing, identity has become the new perimeter, which means identity and access management plays an outsized role in minimizing risk. Once accounts are compromised, they can enable more destructive cyberattacks that impact employees, customers, and others up and downstream. Left unchecked, excessive permissions can put organizations in the crosshairs of ransomware groups.
DECODE THE TERMS
APT (Advanced Persistent Threat) – An Advanced Persistent Threat (APT) is a sophisticated, long-term cyberattack by nation-states or organized groups. APTs use advanced techniques, maintain persistent access, and evade detection to achieve targeted objectives like espionage or data theft.
RCE (Remote Code Execution) – is a critical cybersecurity vulnerability that allows an attacker to execute arbitrary code on a target system remotely. This can lead to full system compromise, data theft, or further exploitation. RCE typically results from flaws in software, such as input validation failures, buffer overflows, or deserialization vulnerabilities.
OTP (One-Time Password) – is a security mechanism that generates a unique, temporary password for a single authentication session. OTPs enhance security by preventing replay attacks and are commonly used in multi-factor authentication (MFA) via SMS, email, or authenticator apps.
