Is Your Cyber Reporting Regime Robust Enough To Comply With The UK Continuing Obligations Regime?

by Simon Enoch, Consultant Solicitor

In contrast to regulators in other jurisdictions, the UK’s Financial Conduct Authority (the “FCA”) has not yet issued any specific guidance for listed companies and that addresses a breach of cyber security in the Disclosure Guidance and Transparency Rules (“DTR”), or Market Abuse Regulations (“MAR”).

As far back as October 2011 the US Securities and Exchange Commission (“SEC”) issued guidance which, whilst not binding on UK listed companies, offered principles that can be applied analogously to the UK disclosure framework.

More recently the SEC has moved from guidance to enforcement, and has imposed a substantial financial penalty on its first dual – listed registrant, Pearson plc, having already placed a cease-and-desist order against First American Financial Corporation (“FAFC”) for deficient disclosure controls and procedures related to cybersecurity risks.

The SEC believes that as public companies face the growing threat of cyber intrusions, they must provide accurate information to investors about material cyber incidents.

In the light of this there is an ever – growing case for UK listed companies to ensure they have a robust reporting regime, so those at the top of the Company can accurately assess any cyber breaches and whether they should be disclosing them to comply with their Continuing Obligations under the DTR’s and MAR.

FAFC Facts

On May 24, 2019, a cybersecurity journalist notified FAFC’s investor relations personnel that its web application for sharing document images related to title and escrow transactions had a cybersecurity vulnerability that exposed sensitive personal information from more than 800 million documents from real estate transactions, including bank account numbers, mortgage and tax records, Social Security numbers, wire transactions receipts and drivers’ licenses images. After FAFC shut down external access to this web application, the journalist published an article regarding the vulnerability.

On May 28, 2019, the first trading day following the publication of the article, FAFC filed a Form 8-K and press release with the SEC regarding the vulnerability. Unbeknownst to the senior executives responsible for the Form 8-K disclosure, FAFC information security personnel, including the CISO, had learned about this vulnerability months earlier, and had failed to remedy the problem, or tell the CEO or CFO of the issue.

Pearson plc

This year, Pearson, a dual listed UK-US Company (which provides educational publishing and other services to schools and universities), agreed to pay $1 million to settle charges that it misled investors about a 2018 cyber intrusion involving the theft of millions of student records, including dates of births and email addresses, and had inadequate disclosure controls and procedures.

Without admitting or denying the SEC’s findings, Pearson agreed to cease and desist from committing violations of US Securities law and to pay a $1 million civil penalty.

The SEC said that in its semi-annual report, filed in July 2019, Pearson referred to the data privacy incident as a hypothetical risk, when, in fact, the 2018 cyber intrusion had already occurred. In a July 2019 media statement, Pearson stated that the breach may have included dates of births and email addresses, when, in fact, it knew that such records were stolen. Pearson said it had “strict protections” in place, when, in fact, it failed to patch the critical vulnerability for six months after it was notified. The media statement also omitted that millions of rows of student data and usernames and hashed passwords were stolen.

According to Kristina Littman, Chief of the SEC Enforcement Division’s Cyber Unit, Pearson opted not to disclose the breach to investors until the media contacted it, and even then Pearson understated the nature and scope of the incident, and overstated the company’s data protections.

How can Jurit help you?

Whilst we are not US lawyers, and cannot give US law advice, we are aware of the US law and the potential impact it may have on your business.

Jurit includes senior practitioners and former in-house legal advisers to global technology companies, as well as other sectors including entities with dual listings.

We can help you to review your company policies to check compliance with DTR’s and MAR’s and if needed can work with US lawyers on the extra jurisdictional application of the US law and regulations.

Our legal and business advisory consulting services business is built on market leading law technology and office support systems, which allow us to control our operating costs and offer flexibility in our approach to fee arrangements with clients.

Photo by Adi Goldstein on Unsplash