Recent cases involving cyber liability, misrepresentations and inaccurate disclosures illustrate why microcaps must have strong, vigilant cyber oversight, robust cyber coverage, and D&O policy language that provides corporate and executive coverage for SEC investigations.
SEC Enforcement: Failure to Disclose Extent of Hack
The SEC has filed settled charges against an asset management company based in Dallas, over false and misleading disclosures regarding a cyber event. In September 2023, the company discovered that a foreign-based threat actor had succeeded in launching a cyberattack and gaining access to its servers. The hackers were able to access more than 12 terabytes of data containing sensitive hotel guest information. In multiple quarterly reports, the company states that it had completed an investigation and had not identified any customer information that had been exposed, even though the company should have known that sensitive personally identifiable and financial information was included in the breach.
The Takeaway for Microcaps: This case illustrates how the SEC takes cyber liability and disclosure failures seriously, even among smaller issuers. Cyberattacks and data breaches have become common threats, so companies need to have both a prevention plan and a response plan. Publicly traded companies don’t just need to contend with state data breach notification laws requiring notice to individuals who have been impacted, but they also have to be careful about what they say in reports and whether it could be seen as misleading investors.
SEC Enforcement: Misrepresentations Regarding Cybersecurity Risks
On October 22, 2024, the SEC announced that it had charged four current or former public companies with making materially misleading disclosures regarding their cybersecurity risks and intrusions. The charges were the result of an investigation that looked into public companies that might have been impacted by the SolarWinds’ Orion software cyberattack. The SEC says all four companies learned in 2020 or 2021 that the threat actor believed to be behind the SolarWinds attack had accessed their systems, but they minimized the incident in their public disclosures.
The Takeaway for Microcaps: Only one of the companies involved in this SEC enforcement action was a microcap. Interestingly, the microcap paid the largest civil penalty, at $4 million, possibly because it was also charged with violations related to disclosure controls and procedures. Regardless, the action shows that cyber incidents can increase scrutiny of all companies, and companies of any size can be found in violation of SEC regulations.
SEC Enforcement: Cyber-Driven Manipulation Scheme
The SEC charged 18 defendants in an international scheme in which at least 31 of online retail brokerage accounts were hacked and used to make unauthorized purchases of microcap stocks. These purchases manipulated the trading volume and price of those stocks, allowing the hackers to sell the holdings they had previously acquired at inflated prices. The hacks occurred in 2017 and 2018, but the SEC charges were brought in 2022.
The Takeaway for Microcaps: Microcaps may be attractive targets for scammers attempting to manipulate prices for profit. Cybersecurity is critical for both microcap companies and retail investors.
SEC Enforcement: Misrepresentations and Stock Manipulation
The SEC has charged 10 defendants in a microcap fraud scheme targeting retail investors that involved share manipulation and stock promotion for a publicly traded company based in Delaware. According to the SEC complaint, the defendants actions included buying stock while concealing their control of the company and stock, selling the stock to retail investors, generating interest in the stock by funding a stock promotion campaign, and making various misrepresentations to circumvent stock sale limitation.
The Takeaway for Microcaps: Although the changes in this case were about financial practices rather than cyber issues, it does highlight the need for transparency and accurate disclosures. The SEC is paying attention to governance issues, and this applies to all aspects of operations, including cyber-related actions.
Is Your Company Covered?
Two questions: 1. Do you have adequate cyber liability insurance? 2. How does your D&O policy respond to SEC investigations involving cyber liability, financial practices and misrepresentations? If you’re not sure, now is the time to find out.
Contact me for a review of your coverage.
