SEC Hints that Enforcement Actions on Lax Cybersecurity Might Be Coming

05.11.2017
Nossaman eAlert

With the confirmation of Jay Clayton as the Chair of the Securities and Exchange Commission, comments made last month by the Acting Enforcement Director, Stephanie Avakian, regarding the importance of accurate reporting in the area of cybersecurity, and consequences of inaccurate reporting, may get lost.  At a speech last month, Ms. Avakian, on behalf of the SEC, told an audience of corporate attorneys, We’ve not brought an action in that space.  Could I see a circumstance where we do?  Absolutely. Ms. Avakian softened these comments later in the speech, however, suggesting the SEC was not looking to second-guess good faith disclosure decisions.

Going forward, though, how should public companies react to Ms. Avakian’s statements?  With at least some degree of caution.  After all, the SEC has a history of honing in on an area of interest and filing lawsuits in waves.  Take the glut of lawsuits filed in the mid-2000s regarding backdated stock options, for example.  What started as a compensation system used by thousands of companies turned into a key target for the SEC’s Enforcement Division, with dozens of civil lawsuits filed, and a number of officers and directors going to prison in related criminal actions.  Cybersecurity reporting is obviously not the same stock option backdating.  However, like backdating it has been repeatedly described as an area of focus for the SEC.  And because cybersecurity issues remain relatively new and regulators are eager to catch up with emerging technologies, this area could be low hanging fruit.  Hackers are not going away, and it is likely that every company will be compromised at some point.  So what will happen if the Enforcement Division decides to look closely at the disclosures of public companies after hacking events?

No one knows for sure.  There is no reason to believe that companies that take good faith measures will be the target of an enforcement action.  But one can look to the FCC’s pursuit of companies that it believes failed to take proper steps to secure its data for a hint at what may come.  These companies, such as Wyndham Hotels, thought they had taken good faith cybersecurity measures, and still ended up in the crosshairs.  For now, the only recourse public companies can take is to review their reporting disclosures for accuracy and keep an eye on how the SEC handles matters going forward.

Twitter/X Facebook LinkedIn PDF
Jump to Page

Nossaman LLP Cookie Preference Center

Your Privacy

When you visit our website, we use cookies on your browser to collect information. The information collected might relate to you, your preferences, or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. For more information about how we use Cookies, please see our Privacy Policy.

Strictly Necessary Cookies

Always Active

Necessary cookies enable core functionality such as security, network management, and accessibility. These cookies may only be disabled by changing your browser settings, but this may affect how the website functions.

Functional Cookies

Always Active

Some functions of the site require remembering user choices, for example your cookie preference, or keyword search highlighting. These do not store any personal information.

Form Submissions

Always Active

When submitting your data, for example on a contact form or event registration, a cookie might be used to monitor the state of your submission across pages.

Performance Cookies

Performance cookies help us improve our website by collecting and reporting information on its usage. We access and process information from these cookies at an aggregate level.

Powered by Firmseek