Partner and Securities Enforcement Defense Co-Chair Danette Edwards shares her thoughts with CFO Dive on what the new cybersecurity rules from the Securities and Exchange Commission (SEC) mean for chief financial officers (CFOs). Expected to be aggressively enforced, the rules require public companies to disclose any "material cybersecurity incidents" to the SEC within four days of determining there was such an occurrence. When asked about new risks facing CFOs in the current climate, Danette stated, "The stakes are high for CFOs because they include the possibility of being charged by the SEC or other government regulators as well as being sued in shareholder litigation and other private actions."

Danette noted that CFO liability is not cut and dried in an SEC investigation, nor should CFOs take too much comfort from the lack of charges in the SEC's recent complaint against SolarWinds, saying, "I think it's going to be a fact-specific inquiry in every case." She added that there are ways to mitigate and later defend against liability by, for example, contemporaneously documenting the reasons supporting cybersecurity decisions related to funding for cyber protections and disclosures, as that could provide context and justification down the road.

"Cybersecurity pressures stretch CFOs," CFO Dive, December 12, 2023

Related Professionals
Related Practices
Related Industries
Related Offices
Recent News