SEC director identifies misleading disclosures of cybersecurity events as a top priority

In a recent post, we discussed how a recent study by the Securities and Exchange Commission’s (“SEC”) Office of Compliance Inspections and Examinations (“OCIE”) revealed varying levels of cybersecurity preparedness and controls among brokers and financial advisors. We ended by anticipating broader enforcement actions against the financial sector for cyber breaches, and it appears the SEC has come to the same conclusion.

On Friday, the director of the SEC’s Chicago Regional Office acknowledged cybersecurity as “an area where we have not brought a significant number of cases yet, but is high on our radar screen.” He also identified two areas of particular interest to the SEC: one, whether and what cybersecurity controls companies have in place to protect market integrity, and two, how adequately companies disclose “material” cyber breaches. Moreover, he did not limit his commentary to the finance industry, leading us to anticipate SEC investigations and enforcement actions throughout the broader public market.

As a result, publicly traded companies should begin speaking with internal and external counsel about whether and how to disclose cyber breaches of any magnitude in SEC filings. If faced with a cyber breach, companies should consult with external counsel familiar with SEC investigation and enforcement trends, rules, and objectives to determine whether reporting a breach is necessary under the SEC’s Staff guidance.