TheCorporateCounsel.net

Last week at the Financial Times Cyber Resilience Summit, SEC Enforcement Director Gurbir Grewal spoke on the topic of the SEC’s approach to cybersecurity issues, while not weighing in on the pending rulemaking activity for public companies and regulated entities. He shared five principles “that guide the work we are doing across the Enforcement Division to ensure that registrants take their cybersecurity and disclosure obligations seriously.” The five principles are:

1. “[W]hen there are cyber attacks on publicly traded companies and other market participants, we consider the investing public to also be potential victims of those incidents…So in addition to ensuring that market participants are doing their part to prevent and respond to cyber events, our goal is to prevent additional victimization by ensuring that investors receive timely and accurate required disclosures.”

2. “[F]irms need to have real policies that work in the real world, and then they need to actually implement them; having generic “check the box” cybersecurity policies simply doesn’t cut it.”

3. “[R]egistrants [must] regularly review and update all relevant cybersecurity policies to keep up with constantly evolving threats. What worked 12 months ago probably isn’t going to work today, or at a minimum may be less effective. And relatedly, registrants and the professionals that counsel them would be well-served by reviewing the Commission’s enforcement actions and public orders on these topics. They clearly outline what good compliance looks like and where and how registrants fall short with their cybersecurity obligations.”

4. “When a cyber incident does happen, the right information must be reported up the chain to those making disclosure decisions. If they don’t get the right information, it doesn’t matter how robust your disclosure policies are.”

5. “[W]e have zero tolerance for gamesmanship around the disclosure decision. Here, I am talking about those instances where folks are more concerned about reputational damage than about coming clean with shareholders and the customers whose data is at risk. Companies might, for example, stick their head in the sand, or work hard to persuade themselves that disclosure is not necessary based on their hyper technical readings of the rules, or by minimizing the cyber incident. Don’t do that. It doesn’t work for the customers whose data is at risk. It doesn’t work for the shareholders who are kept in the dark about material information. And it most certainly doesn’t work for the company, which will most likely face stiffer penalties once the breach gets out, as it invariably will, and if it turns out that the company violated its obligations.”

Grewal went on to note that, with respect to cybersecurity matters and more broadly, “firms that meaningfully cooperate with an SEC investigation, including by coming in to speak with us or self-reporting, receive real benefits, such as reduced penalties or even no penalties at all.”

– Dave Lynn