Cyberattacks and disinformation campaigns are becoming more common and destructive. Investors and regulators (including the SEC) have taken notice and are demanding additional transparency from public companies. CEO’s are also very concerned, 69% in North America said that cybersecurity is the greatest threat to their organization, from an IR Magazine survey (up 19 percentage points from last year), and concern about false information rose from 16 to 28 percent. In this week’s blog we’ll discuss a few recent examples of disinformation campaigns and cybersecurity attacks and IR’s role in disclosure and prevention.
SEC Cyber Attack Settlements – Pearson PLC and First American Financial Corp.
This summer there were two examples of large settlements and fines related to not properly disclosing breaches. It is a signal from the SEC that they are taking failure to disclose cybersecurity issues that could have a material impact on the company more seriously.
First American Financial (real estate services company) paid a $500 thousand dollar fine for lack of disclosure after a system vulnerability that exposed 800 million images including SSNs and private financial information. This was the first time that the SEC got directly involved in the internal affairs of a company regarding cybersecurity.
Pearson PLC (a British publishing company) agreed to pay the SEC $1 million in settlements for misleading investors after a 2018 cybersecurity breach resulted in the theft of millions of student records. Pearson said it had “strict protections” in place, but failed to act for six months on the vulnerability after it was notified, the SEC found. In 2019 they disclosed in the annual report that the data breach may have included birth dates and email addresses, but at that point they knew that those records were stolen.
The First American and Pearson cases show both that the SEC (and therefore other regulators around the world) are now taking cybersecurity much more seriously. President Biden in March even declared cybersecurity as one of the top priorities for national security. Therefore IR teams need to make sure that there are proper information flows in place for executives to learn about security issues that might require disclosure and make sure that executives understand the potential consequences of not disclosing. In addition, IROs will need to be prepared to answer in depth questions from investors and analysts about their company’s security measures. And companies and investors need to be aware of the dangers of fake information.
Disinformation – Walmart and Litecoin
Last Monday, a fake press release came out claiming that Walmart would be accepting Litecoin as a payment method, which caused the price of Litecoin to jump about 30% from $175 to $230. This was a classic pump and dump scam; the fraudsters likely held Litecoin, placed the press release, and sold off near its peak before the market got wise.
The astonishing part, and the lesson for IROs and their companies, is that the fake press release went undetected by several large organizations that should have caught it. Even though it contained “statements” from Walmart’s CEO Doug McMillion and Litecoin’s creator Charlie Lee, there were several clues that something was fishy: the email address contact wasn’t an authorized Walmart site “walmart-corp.com”, the press contact doesn’t work in Walmart’s media division, Walmart usually uses Business Wire instead of GlobeNewswire, and Litecoin isn’t one of the top cryptocurrencies which would make it a strange choice for Walmart.
Regardless, it was still published by GlobeNewswire, picked up by outlets like Bloomberg and Reuters, and tweeted about by the Litecoin Foundation. Walmart only found out when reporters called them to confirm and get more details. GlobeNewswire said it will implement, “enhanced authentication steps to prevent this isolated incident from occurring in the future.” The case will surely lead to an SEC investigation and potential additional regulation of cryptocurrencies.
Another example was last year when Kansas City Southern was subject to a fake report in an unknown website called El Negocio, alleging that Blackstone and GIP were raising its offer to buy out the company. The story was picked up by Bloomberg, the stock surged and then declined when the news was denied.
In addition to cybersecurity threats, companies need to have systems in place to detect disinformation campaigns and IROs need to be prepared to answer investor questions.
IR departments have a vital role to play in ensuring that their companies are accurately disclosing attacks, and addressing investors’ concerns about security and disinformation measures. The transparency and resulting discussion that IR teams will have with investors, will help ensure that security measures are up to the highest current standards. Harvard Business Review put out a set of recommendations for operating in a stricter regulatory environment:
- Form a disclosure committee with senior level employees: conduct surveys every quarter of all areas of the company including cybersecurity, to determine what needs to be disclosed to senior executives and potentially regulators like the SEC.
- Disclose as soon as possible: In the First American Financial case it took 6 months from the time the information security team found out about the breach and the public disclosure. Ensure that your company has an information flow that moves security incidents up the ladder quickly and that executives know they’re also responsible for disclosing according to their respective regulations. Sometimes you’ll need to disclose before the full scope of the incident is understood. You can update the disclosure as the situation progresses. First American would have gotten off with a lighter penalty if they had disclosed right away.
- Assess Risks: understand what your assets are and their criticality to business operations and exposure, to prioritize actions and patches.
- Regular Executive Updates: Give C-level execs a regular update and snapshot of risk level, vulnerabilities, and new developments in the cybersecurity world.
In addition to these recommendations, its key is to be in a position to quickly deny a fake story with Bloomberg and Reuters in the event fraudsters or scammers are manipulating information. And before believing a story or press release, especially one that seems improbable, double check independently the sources before acting on the information.
How Miranda IR Can Help
Miranda IR is happy to help with all IR needs including disclosure strategy, drafting, and dissemination.
Contacts at Miranda Partners