SEC Targets Misleading Cybersecurity Disclosures with Enforcement Actions

The Case

The United States Securities and Exchange Commission (SEC) has charged four companies, both current and former public entities, with making materially misleading disclosures regarding cybersecurity risks and intrusions, resulting in nearly $7 million in total penalties. The proceedings fall into two categories: Disclosing but omitting material information about cyberattacks and failing to update risk factors following a cyberattack. 

The SEC emphasized that public companies downplaying the extent of a cybersecurity breach “further victimize their shareholders or other members of the investing public by providing misleading disclosures.”

Regulatory Implications

The SEC’s recent enforcement actions highlight the agency’s increasing focus on cybersecurity disclosures and the importance of accurate, transparent reporting. Companies found to have minimized or omitted key details about cybersecurity incidents now face steep penalties, sending a clear message about disclosure expectations. Key takeaways include:

Materiality in Cybersecurity Disclosures:

• Companies must thoroughly evaluate and disclose material cybersecurity incidents, balancing qualitative and quantitative factors.

• Misrepresenting or omitting the extent or impact of a breach can cause regulatory penalties and shareholder lawsuits.

Evolving Regulatory Standards:

• Although the incidents predated the 2023 Cybersecurity Rule, the SEC’s actions emphasize its broader expectation for detailed, accurate disclosures, especially when cybersecurity risks evolve post-incident.

Enhanced Governance and Processes:

• Failures at the governance level, such as inadequate escalation procedures and poor communication between cybersecurity teams and disclosure decision-makers, were cited as critical issues. These breakdowns led to delays in reporting and inaccurate disclosures.

Practical Guidance for Firms

To avoid regulatory pitfalls, public companies must refine their cybersecurity disclosure processes and governance frameworks. Proactive actions to consider include:

Streamline Disclosure Practices:

• Develop clear procedures for escalating cybersecurity incidents to decision-makers responsible for evaluating materiality.

• Create robust protocols to ensure timely and accurate updates to SEC filings when new information emerges about previously disclosed incidents.

Strengthen Risk Factors:

• Align cybersecurity risk factors with real-world incidents, avoiding generic language or hypothetical framing.

• Include insights from internal and external investigations for a comprehensive view of potential vulnerabilities.

Bolster Governance:

• Ensure board-level cybersecurity oversight is clear, assigning responsibilities to specific committees and updating charters as necessary.

• Provide boards with regular, detailed updates on cybersecurity risks, incident response, and governance readiness.

Focus on Incident Response Readiness:

• Revise incident response plans to incorporate regulatory considerations, particularly timelines for assessing and disclosing materiality.

• Conduct simulations to test the effectiveness of these plans under real-world scenarios.

Invest in Comprehensive Compliance Support:

• Review disclosure controls and processes to prevent lapses in accuracy or timing.

• Collaborate with legal and compliance experts to draft disclosures that balance technical details with regulatory expectations.