High Court ruling eases blow of SEC’s new cyber rules: analysts

The Securities and Exchange Commission’s new cybersecurity disclosure rules have potentially exposed public companies to increased class action liability risks, according to analysts. But a recent Supreme Court decision is expected to soften the blow.

Earlier this month, the high court ruled in Macquarie Infrastructure Corp. v. Moab Partners that a “pure omission” of information in a disclosure required by the SEC does not, itself, give rise to private claims under Section 10(b) of the Securities Exchange Act, which prohibits securities fraud. The 9-0 decision, however, left the door open for claims based on “misleading half-truths.”

“If Macquarie had gone in the other direction, future plaintiffs lawyers might have possibly claimed that a company failed to meet its obligations under the cyber rules simply by leaving out information required by the rules,” Walker Newell, vice president of management liability at insurance brokerage firm Woodruff Sawyer, said in an email. “That avenue is now unavailable for Section 10(b) cases.”

In the case, shareholder plaintiffs alleged that Macquarie Infrastructure’s failure to disclose a change in certain international regulations constituted securities fraud since the company was required to report “known trends and uncertainties” under Item 303 of SEC Regulation S-K.

In 2021, the U.S. District Court for the Southern District of New York dismissed the case for failure to state a claim. The Second Circuit reversed on appeal, holding that the company had a duty to disclose the change in international regulations under Item 303 and that the omissions alone could support a claim for securities fraud.

The Supreme Court disagreed.

“[T]his Court confirms that the failure to disclose information required by Item 303 can support a Rule 10b–5(b) claim only if the omission renders affirmative statements made misleading,” said the unanimous opinion, written by Justice Sonia Sotomayor.

While the case involved Item 303, it has implications for other disclosure obligations under Regulation S-K, including those related to cybersecurity risk management and climate change, according to analysts.

“Had the court ruled the other way — that is, in favor of the plaintiff’s in this case — the impact could have been significant,” Kevin LaCroix, an attorney and executive vice president of RT ProExec, a division of specialty insurance services company RT Specialty, said in an email.

In light of remaining liability risks, public companies would be wise to stay vigilant in crafting investor communications — including with respect to cybersecurity disclosure, according to Scott Kimpel, a partner at Hunton Andrews Kurth LLP.

“The unanimous opinion comes as welcome relief to the corporate issuer community, but the court was careful to limit its opinion and left open alternate theories of liability for pure omissions,” he said in an email.

Also, even if a Reg. S-K violation by itself is not sufficient to support an investor liability claim, the SEC still has jurisdiction to pursue claims against reporting companies for violations of its rules, LaCroix warned.

“One concern might be in light of this ruling, that reporting companies might be inclined to be silent about cybersecurity issues, notwithstanding the SEC’s cybersecurity disclosure guidelines,” he said. “This would be an ill-advised strategy for a company to pursue, one that I think few companies would follow.”

Under the SEC new cybersecurity rules, adopted last year, companies must determine the materiality of an incident “without unreasonable delay following discovery and, if the incident is determined material, file an Item 1.05 Form 8-K generally within four business days of such determination,” per the ruling.

Companies must also annually describe on form 10-K their board of directors’ oversight of cybersecurity risks.

The new rules are expected to subject public companies to increased scrutiny from both the SEC and plaintiff attorneys.

“Inadequate or misleading disclosures could potentially lead to allegations of securities law violations, such as misrepresentation or omission of material information, thereby laying the groundwork for securities class actions,” Ethan Collins, a risk advisor at insurance brokerage firm Hylant Group, wrote in a blog post last month.

Priya Cherian Huskins, Woodruff Sawyer’s senior vice president of management liability, predicted in an August 2023 blog post that the plaintiffs’ bar would “scour” incident disclosures for opportunities to file lawsuits.

“We should also expect that they will attempt to challenge the veracity of the risk management and governance disclosures any company has made before a cyber breach, be it through a securities suit or a breach of fiduciary duty suit,” Huskins wrote.

Despite the Supreme Court’s decision in Macquarie, Newell said he still expects plaintiffs to carefully scrutinize public companies’ disclosures.

“This will include scrubbing the 10-K risk management disclosures and trying to make the case that a company’s description of its cyber program was misleading by omission in light of gaps that were revealed in the wake of a breach,” he said.