The Apache Log4j vulnerability continues to receive particular attention in the public and private sectors. In a recent interview, the director of the US Cyber and Infrastructure Security Agency (CISA) described Log4j as the “most serious vulnerability” she has seen in her decades of career. On December 22, 2021, the CISA, in collaboration with the Federal Bureau of Investigation (FBI), the National Security Agency (NSA) and international law enforcement partners, released a joint advisory warning that malicious cyber actors are already scanning and exploiting some of the thousands of vulnerable systems around the world.
Security researchers predict that organizations will face the vulnerability (and its fallout) in the months to come. CISA has created a Log4j web page provide an up-to-date, authoritative resource with advice and mitigation resources for network advocates as well as a GitHub repository of the devices and services concerned. These government resources establish the basis of reasonable security for the Log4j response and, in essence, provide a potential roadmap for legal compliance.
While Wolf at the Door can be the technical challenge of identifying and remedying vulnerability, SOEs need to monitor the application of internal controls and procedures in responding. Companies should also assess the impact that the Log4j vulnerability may have on their business, financial condition and operating results. These investigations will determine whether a public company has disclosure obligations under US securities law. Indeed, the Securities and Exchange Commission (SEC) has highlighted that public companies must take “all necessary measures” to inform investors of significant cybersecurity risks and incidents1 in right time. The risks and incidents covered may include those that have not yet matured into a cyber attack.
A public company may have the best policies and procedures on paper, but if they are not applied correctly and there is not the proper flow of information, the risk of enforcement abounds. This is especially true where, like here, the vulnerability is so prevalent (over 100 million devices and servers would be affected by the security breach) and it is actively exploited by malicious actors, including those associated with states. -nations.
The SEC has a proven track record in providing enforcement measures against public companies for disclosure and deficient controls related to cybersecurity risks and incidents; these actions include instances where management failed to conduct a proper investigation and adequately consider whether a breach should be disclosed to investors as well as a cybersecurity incident that has not been remedied in accordance with company policy or properly reported to senior management.
If the past is a prelude, the SEC could send information requests to companies that have downloaded a compromised version of Log4j and ask them to provide more details on the use of the software as well as other compromises by external players. , regardless of the importance of or access to non-public information material. Although Log4j is open source software and does not have a ready list of companies that have installed it, the US government is monitoring a continually updated list of known vulnerable vendors / applications involving Log4j. And, Log4j is on the radar of regulators; for example, the SEC highlighted it on its website.
As the Log4j problem continues to develop, company personnel responsible for developing and overseeing disclosure controls and procedures should have a line of sight to the technical response and ensure that the controls and procedures for the company are correctly applied. They must also be vigilant, in a dynamic threat environment, about obtaining sufficient information to meaningfully assess disclosure obligations, including asking:
If so, what is the assessed impact on reputation, financial performance, and relationships with customers and suppliers?
If the business has systems or applications using vulnerable versions of Log4j, what is the remediation plan to address those systems or applications, and how long will it take to effectively remediate them?
Has the company been diligent with its suppliers, especially those with access to company data and / or systems, to determine if they have been affected by Log4j?
Has the company ever had cybersecurity incidents and, if so, were they disclosed to investors?
When preparing for a disclosure, SOEs should provide sufficient detail about a material cybersecurity risk or incident so as not to over-generalize; at the same time, companies should avoid details that could allow malicious actors to target exploitable software running on corporate systems.2 Finally, companies should be aware of the prohibition on insiders trading in company securities when in possession of material non-public information, which may include knowledge regarding the impact of Log4j.3
1A “cybersecurity incident” is “[a]n event which actually or potentially leads to negative consequences for… an information system or the information that the system processes, stores or transmits and which may require a response action to mitigate the consequences. US Computer Emergency Preparedness Team website, available at https://niccs.us-cert.gov/glossary#I.
2In its February 2018 guidance, the SEC noted that it does not expect companies to make detailed disclosures that could compromise the company’s cybersecurity efforts, for example, by providing a “roadmap” »For those seeking to penetrate the security protections of a company; Nor does the SEC expect companies to publicly disclose specific technical information about their cybersecurity systems, associated networks and devices, or potential system vulnerabilities in details that would make those systems, networks and devices more sensitive to a cybersecurity incident. Nonetheless, the SEC expects companies to disclose cybersecurity risks and incidents that are important to investors, including the financial, legal, or reputational consequences that flow from them.
3In 2018, the SEC charged a number of former Equifax employees with insider trading before the company announced in September 2017 of a widespread data breach that exposed Social Security and Social Security numbers. other personal information of approximately 148 million US customers. See former Equifax executive accused of insider trading, available at https://www.sec.gov/news/press-release/2018-40; https://www.sec.gov/news/press-release/2018-115; Former Equifax manager charged with insider trading, available at https://www.sec.gov/news/press-release/2018-115.