The Apache Log4j vulnerability continues to command significant attention throughout the public and private sectors. In a recent interview, the director of the US Cybersecurity and Infrastructure Security Agency (CISA) described Log4j as the “most serious vulnerability” she has seen in her decades-long career. On December 22, 2021, CISA, along with the Federal Bureau of Investigation (FBI), the National Security Agency (NSA) and international law enforcement partners, issued a joint advisory cautioning that malicious cyber actors are already scanning and exploiting some of the many thousands of vulnerable systems around the world.
Security researchers predict that organizations will be contending with the vulnerability (and its fallout) for months to come. CISA created a dedicated Log4j webpage to provide an authoritative, up-to-date resource with mitigation guidance and resources for network defenders as well as a community-sourced GitHub repository of affected devices and services. These government resources are setting the baseline on reasonable security for Log4j response and, in essence, providing a potential roadmap for legal compliance.
While the wolf at the door may be the technical challenge of identifying and remediating the vulnerability, public companies need to monitor the application of internal controls and procedures in the response. Companies should also assess the impact that the Log4j vulnerability may have on their business, financial condition and results of operations. These inquiries will feed into whether a public company has any disclosure obligations under US securities law. Indeed, the Securities and Exchange Commission (SEC) has emphasized that public companies must take “all required actions” to inform investors about material cybersecurity risks and incidents1 in a timely fashion. Covered risks and incidents can include those that have not yet matured to a cyberattack.
A public company can have the best policies and procedures on paper, but if they are not applied properly and there is not the appropriate flow of information, enforcement risk abounds. This is particularly true where, as here, the vulnerability is so widespread (reportedly upwards of 100 million devices and servers are affected by the security flaw) and it is actively being exploited by malign actors, including those associated with nation states.
The SEC has a demonstrated track record of bringing enforcement actions against public companies for deficient disclosure and controls related to cybersecurity risks and incidents; these actions include instances where management failed to properly investigate and adequately consider whether a breach needed to be disclosed to investors as well as a cybersecurity incident that was not remediated in accordance with company policy or properly escalated to senior executives.
If past is prelude, the SEC could send out requests for information to companies that have downloaded a compromised version of Log4j and ask them to provide further detail about software usage as well as other compromises by external actors, regardless of materiality or access to material non-public information. Although Log4j is open-source software and does not have a ready list of companies that installed it, the US government monitors a continually updated list of known vulnerable vendors/applications involving Log4j. And, Log4j is on regulators’ radar; for example, the SEC has spotlighted it on its website.
As the Log4j issue continues to unfold, company personnel responsible for developing and overseeing disclosure controls and procedures should have a line of sight into the technical response and ensure that company controls and procedures are being applied properly. They also need to be vigilant, in a dynamic threat environment, about obtaining sufficient information to meaningfully evaluate disclosure obligations, including asking:
Has the company conducted a vulnerability assessment to identify if it has potentially been impacted by Log4j?
If so, what is the assessed impact on reputation, financial performance, and customer and vendor relationships?
What, if anything, is impeding such an assessment?
If the company has systems or applications utilizing vulnerable versions of Log4j, what is the remediation plan to address those systems or applications, and how long will it take to effectively remediate?
Is there any deviation between the company’s existing policies and procedures on security incident response and vulnerability management and how Log4j is being handled?
Has the company discovered any Indicators of Compromise (IoCs) related to Log4j within its environment?
Has the company conducted diligence of its vendors, particularly those with access to company data and/or systems, to determine whether they have been impacted by Log4j?
Has the company had any previous cybersecurity incidents, and if so, were they disclosed to investors?
If they were not disclosed, what were the reasons they were determined to not be material?
In preparing a disclosure, public companies must give sufficient details of a material cybersecurity risk or incident so as not to overgeneralize; at the same time, companies should avoid details that could enable threat actors to target the exploitable software running on company systems.2 Finally, companies must be mindful of the prohibition against corporate insiders’ trading the company’s securities while in possession of material nonpublic information, which may include knowledge regarding Log4j impact.3
1A “cybersecurity incident” is “[a]n occurrence that actually or potentially results in adverse consequences to … an information system or the information that the system processes, stores, or transmits and that may require a response action to mitigate the consequences.” US Computer Emergency Readiness Team website, available at https://niccs.us-cert.gov/glossary#I.
2In its February 2018 guidance, the SEC noted that it does not expect companies to make detailed disclosures that could compromise the company’s cybersecurity efforts—for example, by providing a “roadmap” for those who seek to penetrate a company’s security protections; nor does the SEC expect companies to publicly disclose specific, technical information about their cybersecurity systems, the related networks and devices, or potential system vulnerabilities in such detail as would make such systems, networks and devices more susceptible to a cybersecurity incident. Nevertheless, the SEC does expect companies to disclose cybersecurity risks and incidents that are material to investors, including the concomitant financial, legal or reputational consequences.