On August 16th, 2021, the SEC announced that they charged a London-based public company with a $1 Million fine for misleading investors about a 2018 cyber intrusion.
The 2018 cyber intrusion involved the following:
- Theft of millions of records.
- Including dates of birth and email addresses.
- Theft of administrator log-in credentials.
- Inadequate disclosures controls and procedures.
It is important to remember the 2018 cyber intrusion because the company began to make misleading statements in 2019.
Those misleading statements were the following:
- This company referred to a data privacy incident in their 2019 semi-annual report as a hypothetical risk, but the issue behind this was that the Cyber Intrusion already occurred prior to that report in 2018.
- The company provided a media statement in 2019 as well stating it had “strict protections” in place, but when this statement was made, the Company was already aware that the dates of birth and email addresses records were stolen.
- Another key omission from the company was that they failed to state that millions of rows of student data, usernames, and hashed passwords that were stolen.
- Disclosure controls and procedures were not designed to ensure that those responsible for making disclosure determinations were informed of certain information about the circumstances surrounding the breach.
It is important to note that the Chief of the SEC Enforcement Division’s Cyber Unit, Kristina Littman, stated that the order found the London-based public company failed to disclose the breach to investors until they were contacted by media. Nonetheless, they still did not fully disclose that breach, and they understated the entire incident while overstating their data protections. She also added that it is going to be very important for public companies moving forward to provide clear and precise information to investors about cyber occurrences.
This should serve as a warning to all companies to not only protect themselves against cyber occurrences, but to fully disclose information about cyberattacks if they occur. This is not the first instance where the SEC has issued fines for non-disclosures and is going to be something worth paying attention to moving forward.
To help be compliant with federal and state regulatory requirements, as well as cybersecurity enhancements, Vigilant can help with our cybersecurity solutions.
To view the full SEC Release click here!