October 7, 2022

Volume XII, Number 280

Advertisement

October 06, 2022

Subscribe to Latest Legal News and Analysis

October 05, 2022

Subscribe to Latest Legal News and Analysis

October 04, 2022

Subscribe to Latest Legal News and Analysis

Log4J: Enforcement Risk for Public Companies

The Apache Log4j vulnerability continues to command significant attention throughout the public and private sectors. In a recent interview, the director of the US Cybersecurity and Infrastructure Security Agency (CISA) described Log4j as the “most serious vulnerability” she has seen in her decades-long career. On December 22, 2021, CISA, along with the Federal Bureau of Investigation (FBI), the National Security Agency (NSA) and international law enforcement partners, issued a joint advisory cautioning that malicious cyber actors are already scanning and exploiting some of the many thousands of vulnerable systems around the world.

IN DEPTH


Security researchers predict that organizations will be contending with the vulnerability (and its fallout) for months to come. CISA created a dedicated Log4j webpage to provide an authoritative, up-to-date resource with mitigation guidance and resources for network defenders as well as a community-sourced GitHub repository of affected devices and services. These government resources are setting the baseline on reasonable security for Log4j response and, in essence, providing a potential roadmap for legal compliance.

While the wolf at the door may be the technical challenge of identifying and remediating the vulnerability, public companies need to monitor the application of internal controls and procedures in the response. Companies should also assess the impact that the Log4j vulnerability may have on their business, financial condition and results of operations. These inquiries will feed into whether a public company has any disclosure obligations under US securities law. Indeed, the Securities and Exchange Commission (SEC) has emphasized that public companies must take “all required actions” to inform investors about material cybersecurity risks and incidents1 in a timely fashion. Covered risks and incidents can include those that have not yet matured to a cyberattack.

A public company can have the best policies and procedures on paper, but if they are not applied properly and there is not the appropriate flow of information, enforcement risk abounds. This is particularly true where, as here, the vulnerability is so widespread (reportedly upwards of 100 million devices and servers are affected by the security flaw) and it is actively being exploited by malign actors, including those associated with nation states.

The SEC has a demonstrated track record of bringing enforcement actions against public companies for deficient disclosure and controls related to cybersecurity risks and incidents; these actions include instances where management failed to properly investigate and adequately consider whether a breach needed to be disclosed to investors as well as a cybersecurity incident that was not remediated in accordance with company policy or properly escalated to senior executives.

If past is prelude, the SEC could send out requests for information to companies that have downloaded a compromised version of Log4j and ask them to provide further detail about software usage as well as other compromises by external actors, regardless of materiality or access to material non-public information.  Although Log4j is open-source software and does not have a ready list of companies that installed it, the US government monitors a continually updated list of known vulnerable vendors/applications involving Log4j. And, Log4j is on regulators’ radar; for example, the SEC has spotlighted it on its website.

As the Log4j issue continues to unfold, company personnel responsible for developing and overseeing disclosure controls and procedures should have a line of sight into the technical response and ensure that company controls and procedures are being applied properly. They also need to be vigilant, in a dynamic threat environment, about obtaining sufficient information to meaningfully evaluate disclosure obligations, including asking:

  • Has the company conducted a vulnerability assessment to identify if it has potentially been impacted by Log4j?

  • If so, what is the assessed impact on reputation, financial performance, and customer and vendor relationships?

  • What, if anything, is impeding such an assessment?

  • If the company has systems or applications utilizing vulnerable versions of Log4j, what is the remediation plan to address those systems or applications, and how long will it take to effectively remediate?

  • Is there any deviation between the company’s existing policies and procedures on security incident response and vulnerability management and how Log4j is being handled?

  • Has the company discovered any Indicators of Compromise (IoCs) related to Log4j within its environment?

  • Has the company conducted diligence of its vendors, particularly those with access to company data and/or systems, to determine whether they have been impacted by Log4j?

  • Has the company had any previous cybersecurity incidents, and if so, were they disclosed to investors?

  • If they were not disclosed, what were the reasons they were determined to not be material?

In preparing a disclosure, public companies must give sufficient details of a material cybersecurity risk or incident so as not to overgeneralize; at the same time, companies should avoid details that could enable threat actors to target the exploitable software running on company systems.2 Finally, companies must be mindful of the prohibition against corporate insiders’ trading the company’s securities while in possession of material nonpublic information, which may include knowledge regarding Log4j impact.3


1A “cybersecurity incident” is “[a]n occurrence that actually or potentially results in adverse consequences to … an information system or the information that the system processes, stores, or transmits and that may require a response action to mitigate the consequences.” US Computer Emergency Readiness Team website, available at https://niccs.us-cert.gov/glossary#I.

2In its February 2018 guidance, the SEC noted that it does not expect companies to make detailed disclosures that could compromise the company’s cybersecurity efforts—for example, by providing a “roadmap” for those who seek to penetrate a company’s security protections; nor does the SEC expect companies to publicly disclose specific, technical information about their cybersecurity systems, the related networks and devices, or potential system vulnerabilities in such detail as would make such systems, networks and devices more susceptible to a cybersecurity incident. Nevertheless, the SEC does expect companies to disclose cybersecurity risks and incidents that are material to investors, including the concomitant financial, legal or reputational consequences.

3In 2018, the SEC charged a number of now former employees at Equifax with insider trading in advance of the company’s September 2017 announcement of an extensive data breach that exposed Social Security numbers and other personal information of approximately 148 million US customers. See Former Equifax Executive Charged With Insider Trading, available at https://www.sec.gov/news/press-release/2018-40https://www.sec.gov/news/press-release/2018-115Former Equifax Manager Charged With Insider Trading, available at https://www.sec.gov/news/press-release/2018-115.

© 2022 McDermott Will & EmeryNational Law Review, Volume XI, Number 357
Advertisement
Advertisement
Advertisement
Advertisement

About this Author

Partner

Caitlyn M. Campbell, a former US Securities & Exchange Commission (SEC) Enforcement Attorney, focuses her practice on representing clients in SEC investigations, securities class action and derivative litigation, and compliance matters. Caitlyn has extensive experience in matters involving potential violations of the federal securities laws, including accounting issues, various issues in the investment management industry, insider trading, anti-corruption and FCPA compliance, and whistleblower claims.

Prior to joining McDermott, Caitlyn...

617-535-3930
Scott Ferber Cybersecurity Attorney McDermott Will and Emery Washington DC
Partner

Scott leverages his extensive experience as a former federal cybercrime prosecutor and in senior leadership at the US Department of Justice (DOJ) to advise clients across industries on the full range of privacy and security issues created by global data collection and usage. This includes responding to cyber incidents and managing complex privacy and cyber risk assessments. Scott often defends clients in regulatory investigations from the Federal Trade Commission (FTC), State Attorneys General and other federal, state and local regulators and criminal authorities.

...
202-756-8988
Paul Helms Government Investigations Lawyer McDermott
Partner

Paul Helms defends clients in government investigations, principally investigations by the US Securities and Exchange Commission (SEC), and conducts internal investigations involving securities, accounting and other financial concerns. Through his work at the SEC and in private practice, Paul handled more than 40 investigations across multiple subject areas, including financial and accounting fraud, offering fraud, market manipulation, insider trading, Foreign Corrupt Practices Act (FCPA) violations and regulatory compliance. Paul has substantial experience in matters...

312-984-5380
Partner

Todd S. McClelland advises companies on complex, international legal issues associated with cybersecurity breaches and compliance, data privacy compliance, and data, technology, cloud and outsourcing transactions. Todd counsels clients in many industries, including payment processors, cybersecurity product providers, retailers, petro companies, financial institutions and traditional brick-and-mortar companies.

Prior to his legal career, Todd was an engineer designing and programming industrial control, robotics and automation systems. This background gives him unique perspective and...

404-260-8550
Mark Schreiber, McDermott Law Firm, Boston, Cybersecurity Law Attorney
Partner

Mark E. Schreiber focuses his practice on cybersecurity, data breach response and global privacy coordination. He advises entities facing cross-border data protection, Privacy Shield and related issues, strategic decisions, and investigations. Mark has led numerous multi-national and cross-border matters, including those involving data breaches, and has advised senior management, boards, and special board committees on a variety of investigations, including data breach prevention and response. Mark is a leader of the Firm’s Global Privacy and Cybersecurity practice....

617-535-3982
Advertisement
Advertisement
Advertisement