By now, it’s well known that there is a new sheriff in town at the U.S. Securities and Exchange Commission and Gary Gensler’s SEC has already left its mark as a tough regulator. Perhaps nowhere is the contrast between former SEC Chair Jay Clayton’s Division of Enforcement and that of Chair Gensler more apparent than in the cybersecurity space. Just three years ago, then Co-Enforcement Director Stephanie Avakian stated that the SEC would not “second-guess reasonable, good faith disclosure decisions” concerning cybersecurity incidents. The SEC’s recent cybersecurity enforcement efforts, however, should serve as a warning to public companies and SEC registrants that the agency is scrutinizing the efficacy of cybersecurity disclosure controls and procedures, especially where sensitive personally identifiable information (PII) is compromised without appropriate remediation, escalation, and disclosure. These efforts have included five separate enforcement actions for deficiencies in cybersecurity disclosure controls and procedures and a massive cybersecurity “sweep” requesting information from hundreds, if not thousands, of companies related to the SolarWinds compromise.
This article highlights key takeaways from the SEC’s enforcement actions, summarizes the SEC’s recent enforcement efforts, and concludes with best practices for cybersecurity policies and procedures.
Although the SEC has always reviewed disclosures related to cybersecurity incidents carefully, and generally does not punish companies for their good faith judgment concerning those disclosures, its recent enforcement actions are of note because they have focused on the efficacy of companies’ cybersecurity disclosure controls and procedures. These actions presented certain facts which the SEC’s Division of Enforcement is likely to deem key to bringing an enforcement action, including:
As noted earlier, the SEC has brought five enforcement actions concerning cybersecurity disclosure controls and procedures, and commenced the SolarWinds sweep, since June 2021.
The recent slew of SEC enforcement actions make it clear that the SEC will not be lenient on companies that fail to adopt and implement specific disclosure controls and procedures related to cyber incidents. SEC registrants must closely adhere to the Safeguards Rule and public companies must follow the SEC’s February 2018 guidance on public company disclosure of cybersecurity risks and incidents. Among other things, public company controls and procedures should:
Executing cybersecurity disclosure controls and procedures best practices and complying with cybersecurity disclosure requirements can be daunting for even the most diligent of companies. Morrison & Foerster is here to help you develop disclosure controls and procedures that are tailored to your organization and to navigate the facts and circumstances of a materiality analysis. We offer a multidisciplinary approach involving our highly respected global Privacy + Data Security Group, Securities Litigation, Securities Enforcement, and Investigations + White Collar Defense Group, and Corporate Governance Group, all of which include well-respected alumni of the Securities and Exchange Commission and the U.S. Department of Justice.
 The SEC Enforcement Division’s Initiatives Regarding Retail Investor Protection and Cybersecurity, Stephanie Avakian, Co-Director, Division of Enforcement (Oct. 26, 2017), available at https://www.sec.gov/news/speech/speech-avakian-2017-10-26.
 SEC Announces Three Actions Charging Deficient Cybersecurity Procedures (Aug. 30, 2021), available at https://www.sec.gov/news/press-release/2021-169. The Safeguards Rule requires every broker-dealer and every investment adviser registered with the Commission to adopt written policies and procedures reasonably designed to (1) insure the security and confidentiality of customer records and information; (2) protect against any anticipated threats or hazards to the security or integrity of customer records and information; and (3) protect against unauthorized access to or use of customer records or information that could result in substantial harm or inconvenience to any customer. 17 C.F.R. § 248.30(a).
 In the Matter of Certain Cybersecurity-Related Events (HO-14225) FAQs, available at https://www.sec.gov/enforce/certain-cybersecurity-related-events-faqs.
 Commission Statement and Guidance on Public Company Cybersecurity Disclosures, 17 C.F.R. Parts 229 and 249 (Feb. 26, 2018), available at https://www.sec.gov/rules/interp/2018/33-10459.pdf.