The SEC's cybersecurity risk factors disclosures action against Check Point
The SEC recently brought and settled an action against Check Point on October 22, 2024 based on alleged misrepresentations in the registrant's financial statements related to a security incident it experienced resulting from the 2020 SolarWinds Compromise. This post summarizes the key points of the SEC's order and identifies certain takeaways (or perhaps better, "messaging," from the SEC). In short, the SEC takes certain positions that cut against standard evidence-based incident response reporting practices that could shake up the industry. This action is one of four announced by the SEC with additional summaries to follow.
The registrant.?
A foreign private issuer providing products and services for information technology (“ITâ€) security. The SEC's action arises out of alleged negligent misrepresentations or omissions in the company's risk factors for its 2021 and 2022 Form 20-F filings.
The incident.?
- The registrant’s incident emanated from the SolarWinds Compromise first reported publicly on December 13, 2020.
- The registrant’s investigation identified unauthorized activity over a 4-month period (July through October 2020), including communications to a command-and-control server and execution of data compression software often used before data exfiltration.
- The SEC highlighted that the SolarWinds incident was reported to have been perpetrated by state-sponsored threat actors and given the registrant’s business (IT security) its data would have been of “great interest†to those actors.
- Two corporate accounts were also compromised, and the threat actor reconned the registrant’s systems and attempted to move laterally
- The registrant’s investigation did not identify evidence of threat actor access to customer data, code, or other sensitive information was accessed.
- It appears that the registrant’s logs were limited to September to December 2020, and it did not have relevant logging in place prior to that timeframe.? Therefore, its visibility was limited, and it could not determine what may have transpired earlier (e.g. during July and August 2020 when the threat actor was active) as to what may have transpired before then).?
The SEC’s view on material risk.
- The SEC alleged that the registrant’s risk profile changed materially because: (1) the attack was likely perpetrated by a nation-state actor, and (2) the threat actor persisted on the network for months and “took steps†in the environment (e.g. deploying software and attempting lateral movement).
- The SEC stressed that the registrant’s alleged omissions material because it is B2b IT security company, which makes its ability to protect its own systems “critically important to its reputation and ability to attract customers.â€
领英推è
The disclosure deficiencies alleged by the SEC.
- The SEC focused an alleged omission by the registrant to report how the registrant’s cybersecurity risk increased due to the SolarWinds compromise.
- Alleged that the company's cybersecurity risk factors “virtually unchanged†between Form 20-F filings (in 2020, 2021 and 2022), and therefore failed to reflect the difference in cyber security risks between the earlier 2020 filing.
- Described the existence of intrusions in generic terms and omitted “new and material cybersecurity risks arising out of the SolarWinds Compromise)â€, which allegedly created a materially misleading impression of the risks the registrant understood it faced post-incident.
- The registrant’s disclosures were also misleading because they framed any intrusions it experienced as not having a materially adverse impact.
Takeaways.
- Speculative approach.? While the SEC conceded that there was no hard evidence that the threat actor accessed sensitive information, it used circumstantial evidence to support its materiality claims, including:?
The existence of malware designed to exfiltrate data, combined with the lack of logging in place to disprove access to sensitive data were key factors in the SEC’s analysis.?
In addition, the view that this attack was perpetrated by state-sponsored actors who were interested in taking data processed by an IT security company also factored in.? If the registrant did have logs going back to July 2020 (or earlier) that showed no data exfiltration, might the outcome have been different?
These allegations go to the heart of modern incident response from a legal perspective, and the SEC appears to imply that even if there is no "hard" evidence of unauthorized access or acquisition of sensitive information, where a victim company cannot prove the negative (e.g. that such access/acquisition did not occur), then it should assume the worst.? This runs counter to the approach taken my many practitioners in the space, and has the potential to cause over-reporting and false positives.
- Reputational risk.? The SEC focused on the nature of the registrant’s business (IT security) and its data to conclude that the incident posed a material risk to the company’s reputation.? Practitioners should consider whether the nature of an organization’s work is more closely tied to or affected by a data breach.
- No material impact, but a material risk.? The SEC’s allegations here were not entirely clear, but it does not appear they felt the registrant’s "no materially adverse impact" statement was a misrepresentation.? Rather, appeared to indicate that this statement “framed†the registrant’s cybersecurity risk in a misleading manner.? Based on this, and the habit of data breaches sometimes getting worse over time, registrants should explore whether indicating no material adverse impact is necessary or wise.?
- Generic statements and relative risk over time.? The SEC also took issue with the generic and repetitive nature of the registrant’s financial statements.? In its view, changes and more detail were warranted because this incident reflected a material change in the company’s risk profile relative to earlier timeframes.? Some companies regularly provide examples of security incidents in their financial statements.? This helps provide additional transparency, but also addresses concerns regarding generic cybersecurity risk factors.?? ?
I’m curious about your thoughts with this coming after the motion to dismiss in the SolarWinds case. If the company assessed the risk and determined in good faith that the risks were not material, can the SEC effectively second guess the decision by the company? The court in SolarWinds supported much the disclosure methodology that was used there.
VP Services at Halcyon
4 个月So the government couldn't prove that there was any material harm and four years later we have no proof of harm to its business (loss of contracts, lawsuits from clients, etc...). Regardless, the government claims they were negligent to its investors and four years later and should fine them accordingly? Isn't four years enough time to prove that if?critical data was stolen (regardless of proof), that we would know now what could result in losses? Is the reasoning "we speculate that at the time there there could have been harm and CHKP should have framed it differently to investors" so therefore fine? By the logic that they should have had logs, a threat actor who erases logs but does no damage provides the benefit of doing nothing material but forces companies to infer the worst possible scenario?
Committed to aiding CISO's drive effective communications with Board Members, C-Suite peers and Business Unit leaders through the development of a business objective centric Cyber Risk Management capability.
4 个月The absence of logs is in fact a significant point. From a cyber security perspective it could indicate the logs were erased to mask the exfiltration. The likelihood increases with the actor being in the environment for so long and having downloaded at least one tool for compression prior to exfiltration. The likelihood of erased or tampered logs would be compatible with activity in an attack chain from a advanced threat actor.