Misstatements and cybersecurity: will SolarWinds blow across the Atlantic?

A US company, SolarWinds, and its Chief Information Security Officer (CISO) are being prosecuted by the US Securities and Exchange Commission (SEC) for alleged misstatements on its website relating to cybersecurity and a series of cyber-attacks revealed in 2020. 

The SEC has been seeking to rely on public company disclosure rules and its ability to enforce certain cybersecurity-related controls, but a recent court ruling has seen many of its claims thrown out.  

Significant findings in the US on this case to date 

UK enforcement context

If SolarWinds was a UK listed company, might we see the UK authorities taking similar action?

UK authorities (the FCA and the SFO) have the power to investigate misleading statements made by a listed company, including about a cyber incident. 

The FCA has the power to take action under the new UK Listing Rules (UKLR) and the Disclosure Guidance and Transparency Rules (DTR), the former of which provides that a listed company must take reasonable care to ensure it does not make “misleading, false or deceptive” statements to the market “and does not omit anything likely to affect the import of the information”.

We have not yet seen the FCA take enforcement action against a listed company regarding cyber-related mis-statements. To date the FCA has focussed its cyber related enforcement efforts on operational failures by organisations within the financial services regulated sector. The closest we have come is the FCA’s criticism of certain post-attack public statements made by a company in the financial services regulated sector for giving an inaccurate impression of the number of consumers affected by a cybersecurity breach. In the US, the court dismissed the SEC’s claims related to SolarWinds’ Form 8-K disclosures concerning the attack given the limited information available upon discovery of the incident and during the early stages of an investigation. Nevertheless, in other circumstances involving unjustified misstatements, it is possible to foresee a scenario where the FCA elects to take action in this area.

Finally, whilst any enforcement in the UK would likely take the form of administrative sanctions, in the most serious cases there is also scope for criminal enforcement by a UK government agency, most likely the Serious Fraud Office (SFO). According to the SEC, the Security Statement on SolarWinds’ website was an actionable fraud and the US Court made clear it thought the SEC had a sufficient case to be tried. In refusing SolarWinds’ motion to dismiss this claim, the judge pointed to multiple examples of where the company and its CISO were aware that there were “sustained public misrepresentations” contained in the Security Statement which was “aimed at persuading customers to buy SolarWinds’ ostensibly secure products”. In the UK:

• A false statement, made in similar circumstances, could cause the SFO to consider whether there has been a criminal offence. For example, the new ‘failure to prevent fraud’ corporate criminal offence will catch ‘fraud by false representation’ regardless of any senior manager involvement and there could also be senior officer criminal liability.
• If a false statement is made with the intention of inducing someone to buy shares in the company, the FCA could consider using its power to prosecute under s89 Financial Services Act 2012. If a senior manager is involved with the misstatement, then the company could be criminally liable.

For context, whilst both the SFO and the FCA have successfully brought prosecutions in relation to financial misstatements, there is no publicly reported criminal enforcement by the SFO or FCA against a company or individuals regarding false statements about cybersecurity.

Whether to disclose to the market

While the US Court rejected the SEC’s criticisms of SolarWinds’ market disclosures about the attack, UK listed companies would nevertheless be well advised to evaluate their internal processes for determining whether an actual or suspected cyber incident cyber incident would trigger a disclosure obligation (in addition to any other regulatory reporting obligations, for example to the UK Information Commissioner’s Office (ICO) under the UK GDPR if personal data is involved).

At present, there is no specific trigger for disclosing cyber incidents to the market. Accordingly, the relevant question is whether information about a cyber incident is determined to be inside information or not.¹ This would include assessing the elements of inside information, including whether the information would be likely to have a significant effect on the price of securities.

As we have seen in the US, determining the materiality of a cyber incident has proved problematic. Last year the US Securities and Exchange Commission (SEC) created a specific ‘Material Cyber Incident’ Form 8-K reporting rule² with the aim of encouraging companies to disclose cyber incidents and improve transparency in the market. However, the new rule is understood to have resulted in companies over-notifying and investors being confused by the increasing number of cyber incidents being reported. The SEC was forced to issue clarification on its cybersecurity disclosure rules.

There is no such approach or guidance in the UK, although the former UK Conservative Government announced in March 2023 that it was conducting research into the effectiveness of cyber disclosures by large listed and private companies, to inform government policy on cyber resilience. No outcomes have been publicly reported on this study.

A recent development 

Less than two weeks after the US Court handed down its judgment on SolarWinds, shareholders of the cybersecurity company CrowdStrike issued a securities claim in a Texas federal court against the company for making alleged "false and misleading" statements about its software testing following the global IT outage. The claim cites various SEC filings, press releases, conference call transcripts, investor presentations and other public reports, including a statement from CrowdStrike’s chief executive on a conference call on 5 March that the firm's software was "validated, tested and certified”. CrowdStrike is disputing the claims.  

In the UK, shareholder claims of this type are less frequent, although there have recently been a number of high profile shareholder claims based on alleged misstatements. The companies involved have been the subject of previous enforcement action regarding financial crime misconduct such as bribery, fraud and breach of financial sanctions. While none of these claims related to cybersecurity incidents, the general incidence of shareholder actions implies this is an additional, related exposure that companies should be conscious of following major cybersecurity incidents, in addition to enforcement action by the authorities. 

Key takeaways

Although the UK and US have different rules relating to public company disclosures, there are still some good lessons to learn for UK businesses, not just those that are listed:

• Keep public cybersecurity statements up to date and accurate.
• Address and remediate vulnerabilities and other security issues raised internally.
• Ensure that both the business’s own security policies and industry best standards are adhered to.
• Ensure security issues flagged are escalated appropriately in accordance with internal procedures.
• For listed companies, align internal market disclosure processes with cyber incident response plans. In particular, focus on ensuring companies have a robust and streamlined decision-making process in place for determining the materiality of cyber incidents.
• CISOs should be aware of potential enforcement risks related to public misstatements concerning cybersecurity.
• Companies should ensure their CISOs are covered by directors’ and officers’ liability insurance.

These lessons are especially relevant following the recent global IT outage that has put the regulatory spotlight firmly on companies’ cyber-related policies, procedures and statements. The UK’s Cyber Security and Resilience Bill announced in the King’s Speech is also consistent with a renewed focus on operational resilience, although the detail of that bill is yet to be revealed.

Footnotes:

[1] DTR 2.2 and Article 17 UK Market Abuse Regime
[2] The new rule requires public companies to disclose “material” cyber incidents within four business days of determining materiality.