Ashford Inc. Settles SEC Charges: Cybersecurity Disclosure Scandal Unveiled

Ashford Inc., a Dallas-based asset management firm specializing in the hospitality industry, recently settled charges with the Securities and Exchange Commission (SEC) over allegations of inadequate disclosure following a 2023 cyberattack. The SEC contended that Ashford failed to inform investors that the breach compromised sensitive information of approximately 46,000 individuals, including identity card photos and partial credit card numbers. The ransomware attack affected 22 hotels, disrupting critical services. Despite Ashford's public statements indicating no customer information was compromised, the SEC alleged the company should have known otherwise. Without admitting or denying the allegations, Ashford agreed to pay a civil penalty of $115,231. This case is among the SEC's final cyber-related enforcement actions under Chair Gary Gensler, highlighting the agency's emphasis on timely and accurate disclosure of significant cyber incidents.

WSJ

In a previous incident from March 2000, Ashford.com, along with two of its executives, improperly deferred $1.5 million in expenses under a contract with Amazon.com. This action led to a material understatement of marketing expenses, allowing the company to report financial results that met analysts' expectations. The SEC found that Ashford.com's settlement of a dispute with Amazon.com involved using two separate documents, one of which was not disclosed to auditors, resulting in the misstatement of financial results.

SEC

These cases underscore the importance of transparency and adherence to regulatory standards in corporate financial reporting and cybersecurity disclosures.