• Skip to primary navigation
  • Skip to content
  • Skip to primary sidebar
  • Skip to secondary sidebar

Alston & Bird Privacy Blog

  • Home
  • Services
  • Events
  • Contacts

SEC Continues to Focus on Cyber-related Disclosures

February 23, 2016 By Cara Peterman

Participating in a panel at the “SEC Speaks” event on February 19, Deputy Director of the SEC’s Enforcement Division Stephanie Avakian expressed that the Commission continues to focus on cybersecurity as a top priority in 2016.

Avakian discussed the Commission’s cybersecurity concerns in three contexts: (1) failure of registered entities to follow Rule 30(a) of Regulation S-P (the “Safeguards Rule”) in protecting customers’ records and information; (2) illicit securities trading following theft of material non-public information; and (3) cyber-related disclosures by public companies, including disclosure of material intrusions.

On the issue of disclosures, Avakian confirmed the Commission’s position that a “company that has been the victim of an intrusion is just that: a victim,” and noted that accurate disclosure can be difficult immediately following a breach.  No rules regarding cyber-related disclosures have been promulgated by the SEC to date, but in 2011 the Division of Corporation Finance published guidance regarding cybersecurity risks and cyber incidents, and stated that a “registrant may need to disclose known or threatened cyber incidents to place the discussion of cybersecurity risks in context.”  While the Commission has not yet brought any actions arising out of this guidance, Avakian said that she could envision an enforcement action in the event of a “significant disclosure failure.”  Finally, she encouraged companies that are victims of cyberattacks to involve law enforcement as soon as possible following a breach.

Avakian’s statements come in the wake of SEC Enforcement Director Andrew Ceresney’s comment last month that the Commission is unlikely to penalize companies related to cybersecurity disclosures.  Ceresney has been quoted: “I’m not saying it’s not possible, but it would need to be a very clear violation for there to be a case.”

Filed Under: Cyber Risk, Cybersecurity, Enforcement, Regulation Tagged With: Securities and Exchange Commission

Cara Peterman

About Cara Peterman

Cara Peterman is a partner with the firm’s Securities Litigation Group. Her practice focuses on fiduciary duty and shareholder derivative suits, securities fraud, and other complex commercial litigation.

[Read Bio]

Reader Interactions

Primary Sidebar

This blog is a service of Alston & Bird’s Privacy & Data Security team and focuses on key data privacy and data security issues.


Countdown to CCPA Effective Date


Receive email notifications when new posts are added.

Receive email notifications when new posts are added.


PRIVACY MAILINGS
Click Here to Sign Up

FOLLOW US
on Twitter Click Here


Secondary Sidebar

Categories

Recent Posts

  • Alston & Bird Expands Privacy and Cybersecurity Capabilities with Former FTC Veteran
  • Treasury Announces Sanctions Against Cybercriminal Group Behind ‘Dridex’ Malware, Offering Mitigation Strategies for Businesses
  • Critical Audit Matters Disclosure Implicates Information Technology and Security
  • SHIELD Act Overhauls New York’s Data Breach Notification Framework
  • Alston & Bird Details 21 Potentially Significant Impacts from Draft CCPA Regulations
Copyright © 2019 · Alston & Bird · All Rights Reserved. Privacy.
This website uses cookies to improve functionality and performance. By continuing to browse this site, you are consenting to the use of cookies on this website. OkCookie policy