Reports indicate that SEC enforcement has turned its focus to possible disclosure failures by victims of cyber breaches. SEC enforcement apparently sent requests last week to a number of public companies and investment firms asking for information about the SolarWinds cyberattack in December 2020, looking for possible violations of disclosure and internal control requirements by those impacted by the incident. Also last week, the SEC announced charges against a public company for failing to have adequate disclosure controls and procedures in connection with disclosures about a cyber breach, fining the company approximately $500,000. (see https://americas-insights.linklaters.com/post/102h0id/sec-charges-issuer-with-cybersecurity-disclosure-controls-failures). It is clear that public companies need to worry not only about attacks from hackers, but disclosures to investors about material cybersecurity incidents and risks. Now is the time for your company to consider whether its disclosure policies and controls include sufficient consideration of cyber matters so that the question of whether appropriate disclosures were made to investors is not one of the issues adding to your troubles if you're hacked.
"U.S. securities law requires companies to disclose material information that could affect their share prices, including cyber breaches, although cyber security disclosure failures are still relatively new enforcement territory for the SEC."