Cybersecurity & the SEC Enforcement
BY: Joshua Stein, RBFL Student Editor
Since the internet boom in the early 2000’s, cybersecurity risks have developed into significant threats to investors, markets, and the economy in general. This article explores the possible changes to regulations regarding cybersecurity and their effects on the public sector. The article largely focuses on SEC guidance surrounding cybersecurity and anticipates the upcoming SEC guidance by analyzing recent government actions dealing with the topic.
In the past decade, the SEC has continuously monitored these “new age” threats of security related to technology, proposing rules for corporations to follow to avoid potential attacks and limit the consequences of these attacks. The goal of the SEC in implementing these new rules is to create transparency for investors and other interested parties by eliminating elective disclosures and deterring corporations from refraining from disclosing material information.
In October 2011, the SEC’s Division of Corporation Finance issued its first guidance on the topic, stating that “[a]lthough no existing disclosure requirement explicitly refers to cybersecurity risks and cyber incidents,” companies nonetheless may be obligated to disclose such risks and incidents. In 2018, the SEC offered two additional recommendations to address developments in the cyber space following 2011. The guidance stressed the “importance of maintaining comprehensive policies and procedures related to cybersecurity risks and incidents” and reminded companies and their “directors, officers, and other corporate insiders of the applicable insider trading prohibitions under the general antifraud provisions of the federal securities laws.” In particular, the SEC pointed to the “obligation to refrain from making selective disclosures of material nonpublic information about cybersecurity risks or incidents.”
The updated SEC guidance is expected to be released in 2022 after being pushed back from Fall 2021, and although there is not much available information about the new rules yet, we can speculate on certain policy points based on recent actions by the government. Recently, Congress enacted The Cybersecurity Information Sharing Act of 2015 and the Internet of Things Cybersecurity Improvement Act of 2020. While the 2020 Act is focused on government agencies and employees, it is based on the 2015 Act which established certain protections to “encourage companies voluntarily to share information—specifically, information about ‘cyber threat indicators’ and ‘defensive measures’—with the federal government, state and local governments, and other companies and private entities.” President’s Biden’s Executive Order on Improving the Nation’s Cybersecurity (Cyber EO) from May of 2021 also offered insight into the upcoming SEC rules, though it did not focus on security of consumer products.
Beyond direct guidance offered by the SEC, early enforcement trends from SEC Chairman Gary Gensler provide a picture of how his administration will act towards cybersecurity concerns. Gensler has already shifted the SEC’s focus further towards disclosure violations since he was sworn into the Chairman position in April 2021. In June 2021, the SEC settled charges with First American Financial Corporation in “one of the first instances in which the SEC had brought charges in the absence of an actual data breach or intrusion by a third party.” Gensler has made it clear that cybersecurity will be a priority for the SEC, and strict enforcement of disclosure rules will become routine as technology continues to develop.
As blockchains, cryptocurrencies, and other advances in business and technology move the operations of corporations to digital mediums, cyberattacks become a greater threat to investors and the corporations they invest in. While the atmosphere of cybersecurity within the financial sector is continuously changing, the upcoming SEC proposal should provide increased insight into the path that the government is taking to educate corporations and investors to prevent the threat.
Commission Statement and Guidance on Public Company Cybersecurity Disclosures, 17 C.F.R. §§ 229, 249 (Sec. Exch. Comm’n, Feb. 26, 2018).
Vivek Mohan, David Simon & Richard Rosenfeld, SEC Increasingly Turns Focus Toward Strength of Cyber Risk Disclosures, Harv. L.F. on Corp. Governance (July 25, 2021). https://corpgov.law.harvard.edu/2021/07/25/sec-increasingly-turns-focus-toward-strength-of-cyber-risk-disclosures/ [https://perma.cc/4YBA-JGNF].
Our goals, U.S. Sec. Exch. Comm’n, https://www.sec.gov/our-goals (Oct. 16, 2018)) [https://perma.cc/ZH9C-MTGL]
CF Disclosure Guidance: Topic No. 2 – Cybersecurity, U.S. Sec. Exch. Comm’n (Oct. 13, 2011), https://www.sec.gov/divisions/corpfin/guidance/cfguidance-topic2.htm [https://perma.cc/KWX5-5BQH].
Rajesh De Et Al., President Biden Issues Executive Order to Improve Nation’s Cybersecurity, Mayer Brown, (May 17, 2021), https://www.mayerbrown.com/en/perspectives-events/publications/2021/05/president-biden-issues-executive-order-to-improve-nations-cybersecurity [https://perma.cc/ZJ27-9MMT]
Brad S. Karp, Paul, Weiss, & Rifkind, Federal Guidance on the Cybersecurity Information Sharing Act of 2015, Harv. L.F. on Corp. Governance (March 3, 2016), https://corpgov.law.harvard.edu/2016/03/03/federal-guidance-on-the-cybersecurity-information-sharing-act-of-2015/ [https://perma.cc/C9KQ-M2JS]
Julianne Landsvik, Randall Lee & Michael Welsh, Early SEC Enforcement Trends from chairman Gensler’s first 100 Days, The Harv. L. Sch. F. on Corp. Governance (Aug. 11, 2021), https://corpgov.law.harvard.edu/2021/08/11/early-sec-enforcement-trends-from-chairman-genslers-first-100-days/ [https://perma.cc/TG2L-YYV7]
Press Release, SEC, SEC Announces Enforcement Initiatives to Combat Cyber-Based Threats and Protect Retail Investors, (Sep. 25, 2017) (on file with author)
Final rule: Management’s Report on Internal Control Over Financial Reporting and Certification of Disclosure in Exchange Act Periodic Reports, 17 C.F.R. § 210-74 (2003)