Importance of Strong Disclosure Controls Highlighted by Recent SEC Enforcement Actions
On October 22, 2024, the Securities and Exchange Commission (SEC) took action against a number of tech companies for not being completely transparent about their cybersecurity risks and breaches. One company was also called out for not having proper disclosure controls in place.
So, what can we learn from these enforcement actions?
Firstly, it’s important for companies to really think about updating their disclosures after a cybersecurity incident. If something happens that changes the company’s risk factors, it’s crucial to let investors know. And it’s not just about disclosing the incident itself, but also about the potential impact and risks associated with it.
Secondly, having clear policies and procedures in place to quickly escalate cybersecurity incidents to decision-makers is key. This ensures that important information gets to the right people in a timely manner.
Lastly, it’s vital to understand what the SEC considers material when it comes to cybersecurity incidents. Downplaying the seriousness of a breach or minimizing its impact in disclosures won’t fly with the SEC.
The penalties for these companies ranged from $990,000 to $4 million, showing that the SEC is serious about enforcing compliance with cybersecurity disclosure regulations.
Interestingly, two SEC commissioners were not on board with these actions and expressed their dissent. It’s anticipated that a new administration at the SEC might have a different approach to handling cybersecurity-related enforcement actions.
The SEC’s beef with these companies boiled down to two main issues:
1. Omitting material information in disclosures: Companies failed to disclose important details about cybersecurity threats and breaches, leaving out critical information that investors would find valuable.
2. Failure to update disclosures for known risks: Even after experiencing cybersecurity incidents, some companies didn’t update their risk-factor disclosures to reflect the new and ongoing risks they faced.
So, what can companies take away from these enforcement actions?
When deciding what information to disclose about a cybersecurity incident, companies need to think about how important that info would be to a reasonable shareholder. Data protection and sensitive data are top of mind.
After a cybersecurity incident, it’s crucial to reevaluate risk-factor disclosures. If the incident changes the company’s cybersecurity risk profile in a significant way, then the disclosure needs to be updated accordingly.
Companies should also review their disclosure controls and procedures to ensure they are equipped to handle cybersecurity incidents effectively. This might involve enhancing internal processes to identify and disclose cybersecurity incidents in a timely and accurate manner.
As for the dissenting commissioners, they have made it clear that they are not aligned with the SEC’s current approach to regulating cybersecurity disclosures. They believe that disclosures should focus more on the impacts of incidents rather than specific details.
Overall, the SEC’s actions serve as a reminder to companies to take cybersecurity disclosures seriously and to ensure that they are transparent and comprehensive in their reporting.
