Partner and Securities Enforcement Defense Co-Chair Danette Edwards spoke with Wolters Kluwer regarding the Securities and Exchange Commission's (SEC) recently adopted cybersecurity risk management and disclosure rules. When asked about the discretion that companies have to determine what constitutes a material cybersecurity incident requiring disclosure, Danette stated, "Some things a company might consider when making this determination include what and how much information was stolen, the expected consequences of the incident, whether the incident damaged the company's internal controls, and the range of legal consequences and reputational risks." She added that although some issues resulting from a cybersecurity incident may not be immediately discernable, having robust disclosure controls and procedures would help registrants with their materiality assessments. Even so, Danette predicted, "The impacts of a cyber incident can become clearer over time, and this may alter a company's original materiality evaluation, prompting new or corrective disclosures. We will likely see more corrective disclosures in the future."
Danette also predicted that enforcement actions, along with private litigation, will increase. "More incidents will lead to more disclosures for enforcers and private litigants to scrutinize. And of course, now that there are new SEC rules, it would be reasonable to expect additional SEC enforcement actions targeting instances of non-compliance with the new rules."
"SEC Cybersecurity Disclosure Rules Take Effect: What Public Companies Need to Know," Wolters Kluwer, October 3, 2023
Related Professionals
-
Partner and Co-Chair, Securities Enforcement Defense+1.202.625.3543
Washington, DC
