The SEC’s Division of Enforcement has conducted a lot of investigations of cybersecurity incidents in recent years, but it is important to keep in mind that there have been only four Enforcement actions brought against companies in the five years since the 2018 interpretative release.
Here are some of the notable takeaways from those actions:
1. The four actions focus on material misstatements and omissions regarding cyber incidents and deficiencies in cybersecurity disclosure controls and procedures.
2. Three of the four actions involve negligence charges stemming from materially misleading disclosures and omissions regarding cybersecurity incidents and risks, but not intentional or reckless fraud.
3. All four actions involve charges related to deficiencies in disclosure controls and procedures.
4. These actions all involve unauthorized access and/or theft of sensitive personally identifiable information.
5. The companies that were the subject of these actions settled to administrative charges on a “neither admit nor deny” basis.
The SEC does have ongoing investigations of cybersecurity incidents, including those related to the Solarwinds breach, and I do expect that we will continue to see the SEC bring actions based on the old interpretive guidance and pre-existing requirements even when the new rules go into effect.
– Dave Lynn