Navigating Cybersecurity Disclosure Regulations: Insights from SEC's Director of Enforcement

The increasing frequency and sophistication of cyber threats have prompted regulatory bodies to tighten the reins on how public companies disclose and manage cybersecurity incidents. The U.S. Securities and Exchange Commission (SEC) requires public companies to quickly report cyber incidents.

In an address on June 22, 2023, Gurbir S. Grewal, Director of the SEC's Division of Enforcement, shared valuable insights into the regulatory landscape and principles guiding the SEC's approach to cybersecurity resilience. Here are some key takeaways that public companies should consider in enhancing their cyber resilience efforts:

1. Cyber Resilience vs. Cybersecurity: Mr. Grewal emphasized the concept of cyber resilience, acknowledging that breaches are inevitable, and firms must be prepared to respond appropriately. He stated, "It’s not a matter of if, but when."

2. SEC's Role in Addressing Cyber Risks: The SEC is actively addressing cyber risks by enforcing existing rules and proposing enhancements to cybersecurity-related policies and procedures. 

3. Principles Guiding Enforcement Division: Mr. Grewal outlined five principles guiding the Enforcement Division's work to ensure registrants take their cybersecurity and disclosure obligations seriously:

   • Investing Public as Potential Victims: Consideration of the investing public as potential victims of cyber attacks on publicly traded companies.
   • Real Policies for Real World: Emphasis on the need for firms to have practical and effective cybersecurity policies, not just generic "check the box" approaches.
   • Regular Review and Update: The importance of regularly reviewing and updating cybersecurity policies to keep pace with evolving threats.
   • Right Information for Disclosure Decisions: Ensuring that the right information is reported to decision-makers when a cyber incident occurs.
   • Zero Tolerance for Gamesmanship: Discouraging gamesmanship around disclosure decisions and citing enforcement actions for misleading investors about cyber intrusions.

4. Cooperation with SEC Investigations: Mr. Grewal highlighted the benefits of meaningful cooperation with SEC investigations, including reduced penalties. 

For a look at the New SEC Cyber Reporting Rules you can read our latest blog: Navigating SEC Cyber Incident Reporting Requirements For Public Companies