It is no secret among public companies and their counsel that the US Securities and Exchange Commission has steadily adopted a more aggressive stance on cybersecurity controls and disclosure and incident response recordkeeping. SEC Senior Counsel Arsen Ablaev recently highlighted the Commission’s cybersecurity priorities at the annual Incident Response Forum Masterclass. SEC Chair Gary Gensler also emphasized risks in cyber and information security in the March 29 budget hearing with the House Appropriations Committee, and endorsed U.S. President Joe Biden’s request to earmark a record $2.4 billion in funding for the regulator in 2024. Last month saw yet another example of the SEC’s mounting focus on cyber disclosures as an enforcement priority with the announcement that cloud computing company Blackbaud agreed to pay a $3-million civil penalty to settle administrative charges for alleged “materially misleading disclosures” about a 2020 ransomware attack.
As we foreshadowed in our 2023 U.S. Cybersecurity and Data Privacy Outlook and Review, the increase in SEC enforcement resources (e.g., doubling the size of its Crypto Assets and Cyber Unit Ablaev sits in), in combination with the promulgation of cybersecurity risk management, strategy, governance, and incident disclosure rules Ablaev confirmed will be finalized in coming months, signal that cybersecurity will continue to be an area of heightened enforcement activity for the SEC. In light of these developments, it is critical companies take stock of their cyber hygiene policies and incident response protocols, and not only manage cybersecurity risks and prevent attacks, but also respond to them with proper disclosures.