Increased Regulatory Scrutiny of Cybersecurity Incidents
Historically, the enforcement actions related to security incidents brought by the SEC have been against investment advisers and broker-dealers. However, since 2021, there have been three cases that were resolved with companies agreeing to pay fines related to the adequacy of disclosures regarding material cybersecurity incidents and possibly another enforcement action on the way. According to SolarWinds’ October 28, 2022 Form 8-K, the SEC issued a Wells Notice to SolarWinds stating that the SEC had made a preliminary determination to recommend the filing of an enforcement action against SolarWinds alleging violations of certain provisions of the U.S. federal securities laws with respect to its cybersecurity disclosures and public statements, as well as its internal controls and disclosure controls and procedures.
The SEC’s increased focus on cybersecurity is clear – starting with a January 2022 speech by SEC Chairman Gensler and the announcement that it is adding 20 positions to the Crypto Assets and Cyber Unit. Overall, the SEC investigations and enforcement actions increased in 2022. The SEC filed 462 new enforcement actions, a 6.5% increase from the previous year.
Proposed Rules on Cybersecurity Disclosures
In that same January 2022 speech, SEC Chairman Gensler identified the following areas where he anticipated the SEC increasing regulation in connection with cybersecurity:
- Updates to Regulations SCI and S-P, impacting SEC registrants;
- A significant increase in disclosure requirements impacting public companies; and
- Potential new measures to address cybersecurity risks from service providers to include potentially regulating third-party providers.
Following these comments, the SEC released proposed rules intended to enhance and standardize disclosures regarding cybersecurity risk management, strategy, governance, and cyber incident reporting by companies that are subject to the reporting requirements of the Securities Exchange Act of 1934. In its press release, the SEC stated the proposed rules are intended to:
- Provide timely notification of material cybersecurity incidents;
- Better inform investors about such companies’ risk management, strategy, and governance; and
- Enable investors to assess the possible long- and short-term financial or operational effects of a material cyber incident.