SEC Fine Highlights Importance of Cybersecurity Disclosures
The SEC recently announced a settlement with Pearson plc where the company has agreed to pay $1 million to settle charges that it misled investors about a 2018 cyber incident. According to the order, Pearson made misleading statements and omissions about a 2018 data breach involving the theft of student data and administrator credentials in its July 2019 semi-annual report.
Pearson is a UK-based education and publishing company, and provides services to both K-12 schools and universities. As part of the provision of its services, school administrators are provided with login credentials, and 13,000 of those credentials -as well as student emails and dates of birth- were impacted in the cyber incident. Pearson learned of the incident in March 2019, and four months later, after its investigation, notified impacted individuals. Pearson’s management determined that no public statement needed to be issued, and the day after the board met (and seven days after notice was sent to impacted individuals), the company issued its semi-annual report (Form 6-K) which did not mention the cyber incident, instead referring to data privacy incidents as a hypothetical risk – mirroring language from past reports. After issuing its 6-K, Pearson was contacted by a national media outlet about the incident, and only then did it release a statement to the media and post information about the incident to its website.
The SEC cited Pearson with violations of the Securities Act and the Exchange Act for failure to have appropriate processes and procedures around the drafting of its Form 6-K Risk Factor disclosures, for misleading and inaccurate details in its disclosures, and for omitting key details about the incident (such as the volume and type of data impacted) in its media statement. While Pearson did not admit wrongdoing, it agreed to pay a $1 million penalty as part of the settlement.
Putting it into Practice. This case highlights the importance of appropriately analyzing incidents and assessing their materiality to determine if they need to be disclosed in company filings. Companies would be well served to review their controls and procedures, including how incidents are reported to management, what processes management has in place for analyzing materiality, and how its disclosures can quickly and effectively be modified or updated as the result of an incident.