
In what seems is likely to be the last cybersecurity-related enforcement action by the SEC under outgoing chair Gary Gensler, the agency has brought a settled enforcement action against asset management firm Ashford, Inc., alleging that the company made misrepresentations in its periodic reporting documents about a cybersecurity-related incident at the firm. As discussed below, the action raises questions about what may come next as far as SEC cybersecurity-related enforcement under the new administration. A copy of the SEC’s January 13, 2025, complaint in the enforcement action can be found here. The SEC’s January 13, 2025, press release about the action can be found here.
Background
In its complaint, the SEC described Ashford as “an alternative asset management company.” The company serves as an advisor to two NYSE-listed real estate investment trusts that together own 83 hotels. In September 2023, at the time of the cyber incident at issue in the SEC’s enforcement action, Ashford was a publicly traded company. The company delisted from the NYSE in July 2024. As a publicly traded company at the relevant time, Ashford was subject to the requirements under the federal securities laws to make periodic reports to the SEC.
The Cyber Incident and Ashford’s Disclosures
In September 2023, the company learned that it had been subject to a cybersecurity attack and ransomware demand initiated by a foreign-based threat actor. As part of the attack, the threat actor had gained access to Ashford’s servers and exfiltrated more than 12 terabytes of data from Ashford’s internal computer systems. According to the SEC’s allegations later, the exfiltrated data contained sensitive hotel guest information.
In November 2023, in its quarterly report to the SEC, Ashford said that during the quarter ended September 30, 2023, the company had experienced a “cyber incident” that “resulted in potential exposure of certain employee information.” The company further said that “We have completed an investigation and have identified certain employee information may have been exposed, but we have not identified that any customer information was exposed.” The company made substantially identical disclosure statements in its 2023 10-K and in its quarterly reports for the first and second quarters of 2024.
The SEC alleges that Ashford “knew or should have known that its disclosures concerning the September 2023 Cyber Incident” were “false and misleading.” Specifically, the SEC alleged that the company knew or should have known that the exfiltrated data “contained sensitive personally identifiable information and financial information related to guests.”
According to the Wall Street Journal’s January 14, 2025, article about the SEC’s enforcement action (here), the exfiltrated data contained sensitive information about 46,000 people, including photographs of identity cards used to check into the hotel, the last four digits of some credit-card numbers, bank-account numbers, and vehicle registration information.
The SEC’s Enforcement Action
On January 13, 2025, the SEC filed a settled complaint against Ashford in the Northern District of Texas. The complaint alleges that the company violated Sections 13(a) and 17(a)(3) of the Securities Exchange Act of 1934 and relevant rules thereunder. Without admitting or denying the SEC’s allegations, Ashford agreed to settle the SEC’s charges, consenting to an injunction and an order to pay a civil penalty of $115,231. According to the SEC’s press release, the settlement amount “takes into account Ashford’s assistance to the SEC staff in its investigation.” The settlement is subject to court approval.
Discussion
According to the Journal article to which I linked above, this case is “likely one of the last cyber-related enforcement actions at the SEC before its chair, Gary Gensler, a Democrat, resigns as President-elect Donald Trump’s administration take office next week.”
It remains to be seen how the agency under Paul Atkins, whom Trump has indicated he will nominate as SEC Chair, will proceed with respect to cyber incident-related disclosure enforcement.
This action certainly is representative of the approach the agency has taken under Gensler. As the Journal notes, this action “emphasizes the SEC’s continued focus on how companies inform investors and their customers about breaches.” The SEC has, as the Journal also notes, “in recent years launched enforcement actions against companies that fail to disclose attacks adequately or quickly enough.”
The agency under Gensler also finalized cybersecurity disclosure rules, which took effect in December 2023, which require companies to make certain specified cyber incident disclosures within four days of determining that an incident is material. Some commentators have speculated that in the new administration, the agency may withdraw or non-enforce the cyber disclosure guidelines, or at least some of the parts of the guidelines.
The Journal article quotes sources as saying that during the second Trump administration, “the SEC may have a lighter enforcement touch.” One commentator conjectures that under the new administration, companies “will still have to report cyberattacks,” but the agency “might give companies more time to disclose hacks.” The current Republican SEC Commissioners have also criticized the agency’s cybersecurity enforcement as saying that the agency was playing “Monday morning quarterback” by imposing penalties on companies that were themselves victims of cyber-crimes.
It does seem likely that the SEC’s approach to cyber incident disclosures could be different under the new administration. However, I question whether even under a lighter touch regime that the agency would necessarily take a different approach to a case where the allegation is that the company knew or should have known that customer data had been exfiltrated but omitted to disclose that to investors – and in fact was alleged to have actively stated that it had not discovered through its investigation that customer data had been exposed. I suppose the question is whether the agency under the new administration would bring this kind of action at all? Or at least this specific action? Hard to say. It will be interesting to see how much things do in fact change under the new administration.