August 21, 2023
Cybersecurity Enforcement: The Trends to Watch
The SEC’s Division of Enforcement has conducted a lot of investigations of cybersecurity incidents in recent years, but it is important to keep in mind that there have been only four Enforcement actions brought against companies in the five years since the 2018 interpretative release.
Here are some of the notable takeaways from those actions:
1. The four actions focus on material misstatements and omissions regarding cyber incidents and deficiencies in cybersecurity disclosure controls and procedures.
2. Three of the four actions involve negligence charges stemming from materially misleading disclosures and omissions regarding cybersecurity incidents and risks, but not intentional or reckless fraud.
3. All four actions involve charges related to deficiencies in disclosure controls and procedures.
4. These actions all involve unauthorized access and/or theft of sensitive personally identifiable information.
5. The companies that were the subject of these actions settled to administrative charges on a “neither admit nor deny” basis.
The SEC does have ongoing investigations of cybersecurity incidents, including those related to the Solarwinds breach, and I do expect that we will continue to see the SEC bring actions based on the old interpretive guidance and pre-existing requirements even when the new rules go into effect.
– Dave Lynn
Blog Preferences: Subscribe, unsubscribe, or change the frequency of email notifications for this blog.
UPDATE EMAIL PREFERENCESTry Out The Full Member Experience: Not a member of TheCorporateCounsel.net? Start a free trial to explore the benefits of membership.
START MY FREE TRIAL