Category: Policy/Legislation
SEC Continues Pursuit of Cybersecurity Enforcement
Last month, we wrote about three actions taken by the SEC signaling a renewed interest in cybersecurity disclosure enforcement. In keeping with this theme, the SEC announced a number of significant new cybersecurity actions just last week. On August 30, the SEC disclosed enforcement actions against eight brokerage firms for failing to implement adequate cybersecurity policies and procedures, as required by the SEC’s “Safeguards Rule.” All eight firms agreed to settle with the SEC and will collectively pay hundreds of thousands of dollars in fines. These most recent actions underscore that companies should be mindful of whether their cybersecurity policies and procedures comply with SEC requirements and expectations.
SEC Signals Renewed Interest in Cybersecurity Disclosure Enforcement
The SEC is ramping up its cybersecurity disclosure enforcement. While the agency had made significant efforts relating to cybersecurity disclosure previously, there has been surprisingly little SEC activity in this area since 2018—even though the last three years has seen an explosion of high-profile data security incidents. That changed in June of this year, however, with the SEC taking three major actions that demonstrate a renewed interest in such enforcement. First, the SEC announced its intention to issue a new rule regulating cybersecurity risk governance disclosure. Second, it announced its first charges and settlement for cybersecurity disclosure violations since 2018. And third, it revealed a significant cybersecurity disclosure investigation relating to the recent SolarWinds supply-chain attack. In light of these developments, now would be a good time for issuers and registered entities to review the SEC’s expectations for cybersecurity disclosure, and implement any necessary changes to their respective policies and procedures, and disclosure practices.