{"id":1555,"date":"2022-05-07T16:51:30","date_gmt":"2022-05-07T20:51:30","guid":{"rendered":"https:\/\/www.bu.edu\/rbfl\/?p=1555"},"modified":"2022-05-07T16:51:30","modified_gmt":"2022-05-07T20:51:30","slug":"cybersecurity-the-sec-enforcement","status":"publish","type":"post","link":"https:\/\/www.bu.edu\/rbfl\/2022\/05\/07\/cybersecurity-the-sec-enforcement\/","title":{"rendered":"Cybersecurity &#038; the SEC Enforcement"},"content":{"rendered":"<p>BY: Joshua Stein, RBFL Student Editor<\/p>\n<p><span style=\"font-weight: 400;\">Since the internet boom in the early 2000\u2019s, cybersecurity risks have developed into significant threats to investors, markets, and the economy in general. This article explores the possible changes to regulations regarding cybersecurity and their effects on the public sector. The article largely focuses on SEC guidance surrounding cybersecurity and anticipates the upcoming SEC guidance by analyzing recent government actions dealing with the topic.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">In the past decade, the SEC has continuously monitored these \u201cnew age\u201d threats of security related to technology, proposing rules for corporations to follow to avoid potential attacks and limit the consequences of these attacks. The goal of the SEC in implementing these new rules is to create transparency for investors and other interested parties by eliminating elective disclosures and deterring corporations from refraining from disclosing material information.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">In October 2011, the SEC\u2019s Division of Corporation Finance issued its first guidance on the topic, stating that \u201c[a]lthough no existing disclosure requirement explicitly refers to cybersecurity risks and cyber incidents,\u201d companies nonetheless may be obligated to disclose such risks and incidents. In 2018, the SEC offered two additional recommendations to address developments in the cyber space following 2011. The guidance stressed the \u201cimportance of maintaining comprehensive policies and procedures related to cybersecurity risks and incidents\u201d and reminded companies and their \u201cdirectors, officers, and other corporate insiders of the applicable insider trading prohibitions under the general antifraud provisions of the federal securities laws.\u201d In particular, the SEC pointed to the \u201cobligation to refrain from making selective disclosures of material nonpublic information about cybersecurity risks or incidents.\u201d<\/span><\/p>\n<p><span style=\"font-weight: 400;\">The updated SEC guidance is expected to be released in 2022 after being pushed back from Fall 2021, and although there is not much available information about the new rules yet, we can speculate on certain policy points based on recent actions by the government. Recently, Congress enacted <\/span><span style=\"font-weight: 400;\">The Cybersecurity Information Sharing Act of 2015 and the Internet of Things Cybersecurity Improvement Act of 2020. While the 2020 Act is focused on government agencies and employees, it is based on the 2015 Act which established certain protections to \u201cencourage companies voluntarily to share information\u2014specifically, information about \u2018cyber threat indicators\u2019 and \u2018defensive measures\u2019\u2014with the federal government, state and local governments, and other companies and private entities.\u201d <\/span><span style=\"font-weight: 400;\">President\u2019s Biden\u2019s Executive Order on Improving the Nation\u2019s Cybersecurity (Cyber EO) from May of 2021 also offered insight into the upcoming SEC rules, though it did not focus on security of consumer products.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Beyond direct guidance offered by the SEC, early enforcement trends from SEC Chairman Gary Gensler provide a picture of how his administration will act towards cybersecurity concerns. Gensler has already shifted the SEC\u2019s focus further towards disclosure violations since he was sworn into the Chairman position in April 2021. In June 2021, the SEC settled charges with First American Financial Corporation in \u201cone of the first instances in which the SEC had brought charges in the absence of an actual data breach or intrusion by a third party.\u201d Gensler has made it clear that cybersecurity will be a priority for the SEC, and strict enforcement of disclosure rules will become routine as technology continues to develop.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">As blockchains, cryptocurrencies, and other advances in business and technology move the operations of corporations to digital mediums, cyberattacks become a greater threat to investors and the corporations they invest in. While the atmosphere of cybersecurity within the financial sector is continuously changing, the upcoming SEC proposal should provide increased insight into the path that the government is taking to educate corporations and investors to prevent the threat.<\/span><\/p>\n<p>&nbsp;<\/p>\n<p><b>\u00a0Citations<\/b><\/p>\n<p><span style=\"font-weight: 400;\">Commission Statement and Guidance on Public Company Cybersecurity Disclosures<\/span><span style=\"font-weight: 400;\">, 17 C.F.R. \u00a7\u00a7 229, 249 (Sec. Exch. Comm\u2019n, Feb. 26, 2018).<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Vivek Mohan, David Simon &amp; Richard Rosenfeld, <\/span><i><span style=\"font-weight: 400;\">SEC Increasingly Turns Focus Toward Strength of Cyber Risk Disclosures<\/span><\/i><span style=\"font-weight: 400;\">, <\/span><span style=\"font-weight: 400;\">Harv. L.F. on Corp. Governance<\/span><span style=\"font-weight: 400;\"> (July 25, 2021). <\/span><a href=\"https:\/\/corpgov.law.harvard.edu\/2021\/07\/25\/sec-increasingly-turns-focus-toward-strength-of-cyber-risk-disclosures\/\"><span style=\"font-weight: 400;\">https:\/\/corpgov.law.harvard.edu\/2021\/07\/25\/sec-increasingly-turns-focus-toward-strength-of-cyber-risk-disclosures\/<\/span><\/a><span style=\"font-weight: 400;\"> [https:\/\/perma.cc\/4YBA-JGNF].<\/span><\/p>\n<p><i><span style=\"font-weight: 400;\">Our goals<\/span><\/i><span style=\"font-weight: 400;\">, U.S. <\/span><span style=\"font-weight: 400;\">Sec. Exch. Comm\u2019n<\/span><span style=\"font-weight: 400;\">,<\/span><span style=\"font-weight: 400;\"> https:\/\/www.sec.gov\/our-goals (Oct. 16, 2018)) [https:\/\/perma.cc\/ZH9C-MTGL]<\/span><\/p>\n<p><span style=\"font-weight: 400;\">CF Disclosure Guidance: Topic No. 2 \u2013 Cybersecurity, U.S. <\/span><span style=\"font-weight: 400;\">Sec. Exch. Comm\u2019n<\/span><span style=\"font-weight: 400;\"> (Oct. 13, 2011),\u00a0 <\/span><a href=\"https:\/\/www.sec.gov\/divisions\/corpfin\/guidance\/cfguidance-topic2.htm\"><span style=\"font-weight: 400;\">https:\/\/www.sec.gov\/divisions\/corpfin\/guidance\/cfguidance-topic2.htm<\/span><\/a><span style=\"font-weight: 400;\"> [https:\/\/perma.cc\/KWX5-5BQH].<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Rajesh De Et Al., <\/span><i><span style=\"font-weight: 400;\">President Biden Issues Executive Order to Improve Nation\u2019s Cybersecurity<\/span><\/i><span style=\"font-weight: 400;\">, <\/span><span style=\"font-weight: 400;\">Mayer Brown<\/span><span style=\"font-weight: 400;\">, (May 17, 2021), <\/span><a href=\"https:\/\/www.mayerbrown.com\/en\/perspectives-events\/publications\/2021\/05\/president-biden-issues-executive-order-to-improve-nations-cybersecurity\"><span style=\"font-weight: 400;\">https:\/\/www.mayerbrown.com\/en\/perspectives-events\/publications\/2021\/05\/president-biden-issues-executive-order-to-improve-nations-cybersecurity<\/span><\/a><span style=\"font-weight: 400;\"> [https:\/\/perma.cc\/ZJ27-9MMT]<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Brad S. Karp, Paul, Weiss, &amp; Rifkind, <\/span><i><span style=\"font-weight: 400;\">Federal Guidance on the Cybersecurity Information Sharing Act of 2015<\/span><\/i><span style=\"font-weight: 400;\">, <\/span><span style=\"font-weight: 400;\">Harv. L.F. on Corp. Governance<\/span><span style=\"font-weight: 400;\"> (March 3, 2016), <\/span><a href=\"https:\/\/corpgov.law.harvard.edu\/2016\/03\/03\/federal-guidance-on-the-cybersecurity-information-sharing-act-of-2015\/\"><span style=\"font-weight: 400;\">https:\/\/corpgov.law.harvard.edu\/2016\/03\/03\/federal-guidance-on-the-cybersecurity-information-sharing-act-of-2015\/<\/span><\/a><span style=\"font-weight: 400;\"> [https:\/\/perma.cc\/C9KQ-M2JS]<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Julianne Landsvik, Randall Lee &amp; Michael Welsh, <\/span><i><span style=\"font-weight: 400;\">Early SEC Enforcement Trends from chairman Gensler&#8217;s first 100 Days<\/span><\/i><span style=\"font-weight: 400;\">, <\/span><span style=\"font-weight: 400;\">The Harv. L. Sch. F. on Corp. Governance<\/span><span style=\"font-weight: 400;\"> (Aug. 11, 2021), https:\/\/corpgov.law.harvard.edu\/2021\/08\/11\/early-sec-enforcement-trends-from-chairman-genslers-first-100-days\/\u00a0 [https:\/\/perma.cc\/TG2L-YYV7]<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Press Release, SEC, SEC Announces Enforcement Initiatives to Combat Cyber-Based Threats and Protect Retail Investors, (Sep. 25, 2017) (on file with author)<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Final rule: Management&#8217;s Report on Internal Control Over Financial Reporting and Certification of Disclosure in Exchange Act Periodic Reports,\u00a0 17 C.F.R. \u00a7 210-74 (2003)<\/span><\/p>\n<p>&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>BY: Joshua Stein, RBFL Student Editor Since the internet boom in the early 2000\u2019s, cybersecurity risks have developed into significant threats to investors, markets, and the economy in general. This article explores the possible changes to regulations regarding cybersecurity and their effects on the public sector. The article largely focuses on SEC guidance surrounding cybersecurity [&hellip;]<\/p>\n","protected":false},"author":19154,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[1],"tags":[],"_links":{"self":[{"href":"https:\/\/www.bu.edu\/rbfl\/wp-json\/wp\/v2\/posts\/1555"}],"collection":[{"href":"https:\/\/www.bu.edu\/rbfl\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.bu.edu\/rbfl\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.bu.edu\/rbfl\/wp-json\/wp\/v2\/users\/19154"}],"replies":[{"embeddable":true,"href":"https:\/\/www.bu.edu\/rbfl\/wp-json\/wp\/v2\/comments?post=1555"}],"version-history":[{"count":1,"href":"https:\/\/www.bu.edu\/rbfl\/wp-json\/wp\/v2\/posts\/1555\/revisions"}],"predecessor-version":[{"id":1556,"href":"https:\/\/www.bu.edu\/rbfl\/wp-json\/wp\/v2\/posts\/1555\/revisions\/1556"}],"wp:attachment":[{"href":"https:\/\/www.bu.edu\/rbfl\/wp-json\/wp\/v2\/media?parent=1555"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.bu.edu\/rbfl\/wp-json\/wp\/v2\/categories?post=1555"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.bu.edu\/rbfl\/wp-json\/wp\/v2\/tags?post=1555"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}